CMS Expert Guide to digital health apps and telemedicine

  1. Digital Health Apps/Software
    1. 1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?
    2. 2. Are there any other legal regimes that may govern digital health software? (e.g. data protection/ privacy) If yes, please indicate these.
    3. 3. If your response to Q2 is yes, please state whether it matters if, the users are residents using it within their jurisdiction and/or using it outside their jurisdiction; and/or it is a “B2B” (business to business) rather than “B2C” (business to end consumer) service. In each case, please summarise any implications (if applicable). 
    4. 4. Do any particular features, such as location tracking, or monitoring real-time information, trigger any additional consent requirement, regulatory approval, and/or other restrictions beyond the general ones applicable to Q1/Q2?
    5. 5. In the context of physicians relying on digital health apps (containing software), whether for in-person or via telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the producer of the software contained in the app, or of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage (or injury)? 
    6. 6. Please describe the enforcement mechanism for compliance with regard to the regulations discussed in Q1, Q2, and/or Q4 in your jurisdiction with regard to the software contained in digital health apps. What are the legal consequences for non-compliance?
    7. 7. Are you aware of any future legal developments in your jurisdiction with regard to digital health apps/software?
  2. Telemedicine
    1. 8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?
    2. 9. What laws and/or regulations apply to physicians regarding telemedicine?
    3. 10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?
    4. 11. Do the standards of care applicable to physicians change in the context of using telemedicine?
    5. 12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?
    6. 13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 
    7. 14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are.
    8. 15. Are you aware of any future legal developments in your jurisdiction with regard to telemedicine?

Digital Health Apps/Software

1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?

1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?

Software in the form of a digital health app may be considered a “medical device” largely depending on its functionality. 

Medical devices are currently regulated by the Medical Devices Regulations 2002 which give effect to the EU directives 93/42/EEC and 98/79/EC on medical devices and IVDs respectively. Following the expiry of the Brexit implementation period on 31 December 2020, CE marked medical device apps will continue to be accepted in Great Britain (“GB”), which comprises England, Scotland, and Wales, until 30 June 2023. From 1 July 2023 all medical devices placed on the market in GB (and therefore in England) will be subject to new UKCA mark requirements, which are awaited. CE marked medical software apps will continue to be accepted in Northern Ireland (“NI”) after 1 July 2023 while the NI Protocol agreed with the EU remains in force.

The definition of a medical device includes both standalone software and software that is used in combination with a device that is “intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes.” 1 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/521458/Borderlines_with_medical_devices.pdf  

Under current law, a software digital health app will qualify as a “medical device” if it is intended to be used for one or more of the medical purposes specified in the definition of a medical device or IVD, which include, inter alia, diagnosis, treatment, and monitoring of a disease, injury or disability. 

Following CJEU jurisprudence from 2017 (in Case C 329/16 concerning Philips’ prescribing software), which will be retained law in GB after 31 December 2020, software where at least one of the functions makes it possible to use patient-specific data for a medical purpose is, in respect of that function, a medical device. This aligns with the position taken in both the European Commission’s MEDDEV 2.1/6 of July 2016 and guidance from the Medical Devices Coordination Group (established under the MDR). Although neither of these have binding effect in GB, they indicate that, where standalone software used in healthcare has applications that consist of both medical device and non-medical device “modules,” only the modules that have medical device functionality need to comply with medical device requirements.

Therefore, where certain parts of an app qualify as a medical device, this does not necessarily qualify the whole app as a medical device if the modules can be considered distinct.

If software in the form of a digital health app is considered a medical device, the software must be validated through pre-market conformity assessment to demonstrate it conforms to the safety and performance requirements set out in the Medical Devices Regulations 2002 and the applicable Medical Devices Directive. In practice, this entails the legal manufacturer successfully performing the required pre-market conformity assessment and establishing appropriate systems and procedures to fulfil the manufacturer’s post-market surveillance and vigilance reporting obligations. 

The current GB medical devices legislation only regulates products that are placed on the market or made available in the “Union” 2 Due to various international agreements, for the purposes of medical device legislation, “Union” is the EEA, Switzerland, Turkey and the UK, until 31 December 2020. . Therefore, a service provided from outside the Union is arguably not regulated by current GB medical devices legislation even where it has a medical purpose, though this is a controversial regulatory issue. It is notable that this issue has been resolved in the EU in favour of future regulation of such services (from May 2021) by requiring the underlying software devices to be CE marked. However, as GB will not implement the EU MDR or IVDR (EU Regulations 2017/745 and 746), this will require further legislation in GB.

1.2 If your response to Q1.1 is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?

Whether or not software in the form of a digital health app satisfies the definition of a medical device, general civil law liability principles apply. In particular, civil liability could potentially arise under the common law tort of negligence and/or in contract.

There exists some legal uncertainty as to whether standalone, non-embedded software (i.e., software that has to be downloaded) constitutes a “product” within the scope of the Consumer Protection Act 1987 (“CPA”), which has given effect to the EU product liability directive 85/374/EEC in GB. The CPA is expressed to apply to “goods or electricity” 3 Section 1(2) of the CPA . We are not aware of any GB case law that specifically addresses whether non-embedded software can be “goods” for the purposes of the CPA. However, English first instance and appellate case law relating to other legislation that is expressed to apply to “goods” has concluded that downloaded software is not “goods” for the purposes of that legislation. 4 See Computer Associates UK Ltd v The Software Incubator Ltd [2018] EWCA Civ 518; at issue in this case was whether supply of downloadable software could be a ‘sale of goods’ for the purposes of the Commercial Agents (Council Directive) Regulations 1993. Please note that this case has been appealed to the UK Supreme Court and a reference has been made to the Court of Justice of the European Union  These decisions suggest that GB courts could have similar doubts to those expressed by the European Commission and others regarding whether the EU product liability directive (or CPA in GB) is applicable to digital technologies. 5 Report from the Commission to the European Parliament, the Council and the European Economic and Social Committee: Report on the safety and liability implications of Artificial Intelligence, the Internet of Things and robotics (19 February 2020) and Report from the Expert Group on Liability and New Technologies – New Technologies Formation: Liability for AI and other Emerging Digital Technologies (27 November 2019).

Software within digital health apps (the “DHA Software”) can be considered as a medical device.

1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?

DHA Software can be classified as a computer program, which under certain circumstances falls within the definition of a medical device according to the Slovak Act on Medicinal Products and Medical Devices (the “Act”). The Act implemented Directive 93/42/EEC. In addition to the Act, Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 on in vitro diagnostic medical devices (the “EU Regulations”) should be also taken into account. 

The manufacturer shall assess whether the DHA Software it created falls under the regime of the EU Regulations. The EU Commission provides numerous non-binding guidance documents (e.g., Manual on borderline and classification in the community regulatory framework for medical devices) for this purpose, which are intended to assist manufacturers in determining whether their DHA Software falls within the definition of a medical device. 

1.2 If your response to Q1.1 is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?

There is no specific legal regime governing the DHA Software. The claims related to DHA Software considered to be a medical device shall be analysed on case by case basis, taking into account general liability regimes provided for in the Slovak Civil Code. It is necessary to distinguish between damage caused by the DHA Software manufacturer and damage caused by a health care practitioner using the DHA Software. The health care practitioner using the DHA Software could fall under a strict liability regime. This means that the practitioner cannot benefit from liability exemptions. The practitioner is held liable even if he or she proves that he or she did not cause damage to a patient by his or her misconduct or omission. On the other hand, the liability of the DHA Software manufacturer may not be strict liability. The DHA Software manufacturer may fall under the liability regime which allows for exemptions if it can prove that it is not culpable (i.e., did not breach its duty).

Furthermore, there is a risk of liability for violation of rights to protection of personality if there is a casual link between the caused damage and the DHA Software used. No liability exemptions apply in this case.

Data Protection

If the personal data of users/patients is processed using digital health software, such processing must comply with the data protection laws in force in the UK, in particular with: 

  • The General Data Protection Regulation (“GDPR”); 
  • The Data Protection Act 2018 (the “DPA”) and 
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), to the extent relevant.

The GDPR generally governs the processing of personal data and requires that any processing undertaken is done lawfully, fairly and in a transparent manner. (See in particular Articles 5(1)(a), 6, 13 & 14 GDPR.) The GDPR also imposes further conditions on the processing of “special category data” including health data. (See Article 9 GDPR.) The DPA is a national law which supplements the GDPR, and sets out additional requirements for the processing of special category data in the UK.

Following the end of the Brexit transition period in the UK (31 December 2020), the GDPR will be retained in UK law and become known as the “UK GDPR”. It will continue to apply subject to certain adaptations. (See The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.)

PECR sits alongside the DPA and GDPR and imposes specific requirements in the context of marketing, cookies, keeping communications secure, and customer privacy. 

Consumer Rights

The Consumer Rights Directive (2011/83/EC) applies when a person purchases an app relating to lifestyle or wellbeing. Any data that is transferred via the app is likely to be considered personal data.

The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (SI 2013/3134) (“CCRs”) implement most of the Consumer Rights Directive. The Consumer Protection (Amendment etc.) (EU Exit) Regulations 2018 amend the CCRs by making various amendments to EU-derived UK consumer protection legislation, including the removal of references to EU legislation. They also include an omission of CCR 3(2) relating to having regard, in the Secretary of State’s periodic reviews, to what is done in other EU Member States to implement The Consumer Rights Directive.

Besides the above-mentioned Slovak and EU regulations, the DHA Software in general can be also regulated under other Slovak acts, such as the following:

  • Health Care and Health Care Services Act;
  • Act on Personal Data Protection;
  • Act on Electronic Communications;
  • National Health Information System Act; and
  • Copyright Act.

3. If your response to Q2 is yes, please state whether it matters if, the users are residents using it within their jurisdiction and/or using it outside their jurisdiction; and/or it is a “B2B” (business to business) rather than “B2C” (business to end consumer) service. In each case, please summarise any implications (if applicable). 

3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.

The GDPR applies to the processing of personal data in the context of an establishment of a controller/processor in the EEA or UK, regardless of whether the processing takes place there. (See Article 3(1) GDPR.)

In addition, the GDPR applies if a controller/processor is not established in the EEA or UK but processes the personal data of data subjects in the EEA or UK when the processing activities relate to the offering of goods/services or monitoring the behaviour of the data subjects so far as that takes place within the EEA or UK. (See Article 3(2) GDPR.)

3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.

The GDPR and DPA do not distinguish between the processing of personal data in a B2B or B2C context and may apply to processing in either context.

In general, the marketing requirements of PECR will apply in a B2C but not B2B context. There are however exceptions in the case of marketing relating to sole traders and some partnerships to which the PECR marketing requirements will also apply. (See in particular regulation 22 PECR.)

3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.

Claims for damage caused to residents outside their jurisdiction will likely invoke application of rules on conflict of laws. These rules differ in EU member states and in third countries. Therefore, it is necessary to assess each claim individually depending on applicable legal regime.

3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.

Certain cases can be considered as B2B while the others as B2C. Each of them has a different liability regime. Liability of the manufacturer towards the patient will be assessed in the B2C regime. B2C applies strict liability regime which does not allow for exemptions. For details please refer to Question 1 above. 

The liability of the manufacturer could be assessed towards the health care practitioner in B2B regime because the health care practitioner can be involved in such a relationship within his profession.

Data protection 

To the extent that personal data is processed for location tracking or monitoring real-time information, the GDPR applies. 

Location tracking

PECR governs the processing of location tracking information. In general, such processing is only permitted in cases in which it is undertaken by a services provider on an anonymous basis or if it is necessary for a value added service (i.e., beyond what would be needed for transmission or billing of a communication) and the user has consented. (Traffic data is subject to separate requirements.) (See in particular regulation 14 PECR.)

Monitoring real-time information

If the monitoring of real-time information includes the processing of health data then, as explained above, this is classified as special category data under the GDPR and subject to additional requirements under the GDPR and DPA. (See Article 9 GDPR.)

Please note that the GDPR also imposes specific requirements in respect of automated individual decision-making, including profiling. Such decision-making must not be based on special category data such as health data unless the controller takes suitable measures to safeguard the data subject's rights and freedoms and legitimate interests and either: 

  • the data subject has given their explicit consent to the processing, or
  • the processing is necessary for reasons of substantial public interest (and has met additional DPA requirements).

(See in particular Article 21 GDPR, section 10 and Part 2 of Schedule 1 DPA.)

Cookies

If a digital app were to include analytical, behavioural or marketing cookies, then the use of such cookies requires prior consent by the data subject. Unless an exemption applies, PECR requires the following for the use of cookies:

  • the provision of "clear and comprehensive" information; and
  • the consent of website users or subscribers.

(See in particular regulation 6 PECR.)

Further additional consents, regulatory approvals and/or other restrictions beyond the general ones mentioned in Question 1 or Question 2 are for example as follows:

  1. business licences;
  2. conformity consents (i.e., all medical devices must bear a mark of conformity issued by the State Institute for Drug Control certifying that a medical device poses no health risk);
  3. consents according to the Act on Personal Data Protection;
  4. consents according to the Act on Electronic Communications.

5. In the context of physicians relying on digital health apps (containing software), whether for in-person or via telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the producer of the software contained in the app, or of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage (or injury)? 

We refer you to our response to Question 9 for information regarding the standards to which a doctor is held. 

Generally speaking, whether liability would fall on a Healthcare Professional (“HCP”) or the producer depends on where the fault lies.

If the HCP’s clinical decision was based on defective or faulty software, then the producer may be deemed negligent, or the product may be considered defective such that general product liability principles may apply. In those situations, liability would likely be borne by the producer of the software. If a claim is brought against the HCP and the HCP is found liable, then the HCP may bring a claim for contribution against the producer. However, if the HCP’s erroneous clinical decision is not due to any defect or fault concerning the software, then the HCP could face a claim in negligence brought against him/her directly.

Please see Question 1 for more details regarding limitations of liability. 

In numerous Slovak cases, the health care practitioners are likely to be held liable. According to the Health Care Act and the Health Care Services Act and therein attached Code of Ethics, the health care practitioners are obliged to always act lege artis (i.e., in accordance with the most current medical knowledge) and in a such way, that no patient would suffer any damages. Such strict liability cannot be transferred or exempted. Thus, the health care practitioners shall not rely on Producer’s liability for a defective DHA Software.

Medical Devices

If the digital health app satisfies the definition of a medical device (such that its intended use is for diagnostic, treatment, prevention, or prognosis purposes), then in order to lawfully place this on the market in GB, the manufacturer must conduct an appropriate pre-market conformity assessment procedure. Depending on the risk classification of the app under the EU Medical Devices Directive, this may also entail an assessment of the technical documentation and the manufacturer’s quality system by a Notified Body (designated by the competent authority). 

In the post-market period the manufacturer of a medical device app must fulfil post-market surveillance and vigilance reporting obligations overseen by the Medicines and Healthcare products Regulatory Agency (MHRA) which is the competent authority for medical devices in the UK. Where adverse incidents are caused by a device, then corrective action may be required. This may include the recall or withdrawal of a product in order to eliminate the risk of injury or death.

All obligations under the Medical Devices Regulations 2002 are enforced via the criminal law in the UK. The MHRA, as the enforcement authority, also has a range of statutory powers in the 2002 Regulations and in the CPA to enable it to require compliance, investigate product safety as well as to act directly against products, e.g., by issuing compliance, prohibition or information notices concerning individual products. Offences for breach of the 2002 Regulations are set out in the CPA. Penalties for offences include imprisonment for up to 6 months, an unlimited fine, or both. 

For direct-to-consumer apps, manufacturers (or importers into GB from 1 January 2021) may also be ordered to recall the apps under the powers in the General Product Safety Regulations 2005, which have given effect to the EU General Product Safety Directive 2001/95/EC in GB. Under this legislation distributors (if relevant for software devices) also have obligations to act with due care, not to promote or supply unsafe devices, to cooperate with regulatory authorities, and to assist with monitoring through traceability measures. 

In addition to potential regulatory liability, a manufacturer or supplier of a defective health app which causes injury may face civil liability claims from injured users. Depending on the exact circumstances, users may be able to claim damages in respect of their injury under: (i) the tort of negligence; and/or (ii) where the user has a contract directly with the producer of the health app, contract law (under either express or implied product quality warranties in the contract). As explained above, there is currently uncertainty as to whether injured users will be able to recover compensation for injury or loss under the CPA where this is caused by defects in standalone software apps.

Data Protection

Under the GDPR, supervisory authorities such as the Information Commissioner’s Office (ICO) have a number of enforcement powers, including:

  • to issue an information notice requiring information in order to exercise their functions and conduct investigations;
  • to issue an enforcement notice requiring a person to take certain steps, or refrain from taking certain steps, which may include an absolute or partial ban on processing;
  • to issue an assessment notice allowing them to conduct assessments of compliance with applicable legislation. 

In addition, for breaches of the GDPR the ICO may impose a fine of up to 20 million Euros or 4% of worldwide annual turnover of the preceding financial year, whichever is higher. For a breach of PECR, the ICO can also impose a fine of up to £500,000.

(See in particular Article 83 GDPR and regulation 31 PECR.)

From the perspective of a patient who suffered damage, potential enforcement mechanisms are for example as follows:

  1. a court claim for pecuniary damages or non-pecuniary damages; 
  2. fillings to the Health Care Surveillance Authority, the Office for the Personal Data Protection of the Slovak Republic, or to the Regulatory Authority for Electronic Communications and Postal Services; and
  3. disciplinary proceedings held by the Slovak Medical Chamber.

Legal consequences for non-compliance depend on the type of a breach and its seriousness and are as follows:

  1. administrative fines issued by health care authorities;
  2. prohibition of provision of health care services;
  3. indemnities;
  4. disciplinary penalties (disciplinary reprimands, fines, expulsion from the Slovak Medical Chamber); 
  5. contractual penalties (depending on contract in place, e.g., between hospital and patient, hospital and insurance company); and
  6. imprisonment (in case of a criminal liability).

GB will no longer be subject to EU Regulation after 31 December 2020. As existing EU medical devices regulation will become “retained law” in GB (it will continue in NI for at least 4 years), there is unlikely to be significant changes in the immediate short term beyond the new product and UK Responsible Person registration requirements, which will start in 2021. 6 https://www.gov.uk/guidance/using-the-ukca-mark-from-1-january-2021  As GB will now require the new UKCA marking for all medical devices including medical software apps from 1 July 2023, we can expect to see further detail on these requirements during 2021-2022 to allow industry to prepare for this, and there is a general expectation that the MHRA will issue a formal consultation on the new UKCA mark requirements. 

As the UK has already indicated its intention to appoint UK Approved Bodies for higher risk classes of devices, which may affect some medical software apps, it will be important that the capacity of UK Approved Bodies is appropriately taken into account if the UK is not to repeat the Notified Body capacity shortage that has been such a challenge for industry and regulatory authorities alike during the period leading up to the MDR and IVDR. On this basis, our expectation is that the new UKCA mark requirements are likely to share at least some commonality with the current and future EU CE mark requirements for medical devices and IVDs. 

In the more immediate short term, the Medicines & Medical Devices Bill is currently before Parliament and will constitute the sector’s primary legislation to allow existing regulatory frameworks to be updated post-Transition Period. It is also intended to consolidate the enforcement regime for medical devices. 

If the Bill becomes law, then it will contain powers for the MHRA to impose civil penalties (as an alternative to criminal prosecution) for breaches of the medical device regime. It will also usher in new rights of action for breach of statutory duty (for persons affected by infringements of the Medical Devices Regulations 2002), an additional enforcement authority in the shape of local authority trading standards authorities for consumer use medical devices, which will include direct-to-consumer medical apps, and powers for the MHRA to disclose information for purpose of civil proceedings, as well as for criminal proceedings or investigations. 7 https://commonslibrary.parliament.uk/research-briefings/cbp-8699/  

Currently, there is no new legislation planned on digital health apps or software in the near future. Digitalisation of the health care industry is a step ahead of the relevant legislative updates. Some of the legal issues which still need to be addressed by Slovak legislators are the specific legal definition of the DHA Software and the specific regulation and liability regimes applicable to usage of DHA Software.

Telemedicine

8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?

The General Medical Council (the “GMC”) regulates individual medical practitioners in the UK—not medical services. Every doctor who wishes to practise medicine in the UK must be registered with the GMC and hold practising rights. Doctors utilising telemedicine need to be appropriately qualified and regulated and should demonstrate, through the GMC or other means, that they are up to date and fit to practise medicine.

The Slovak regulators are as follows:

  • Slovak Medical Chamber, an independent, self-governing professional organisation, which plays major role in overseeing and licensing of health care professionals and internal disciplinary proceedings. Membership within the Chamber is compulsory;
  • Health Care Surveillance Authority, which performs surveillance over all relevant aspects of health service system; and
  • The Public Health Authority, which controls and coordinates the activities carried out by regional public health offices. The Public Health Authority also prepares proposals for directions and priorities of the state health policy in the field of public health, which may have an impact on the day-to-day services provided by physicians.

9. What laws and/or regulations apply to physicians regarding telemedicine?

Medical professionals have a duty of care to the patients they treat. The case of Bolam v Friern Hospital Management Committee (1957) 1 WLR 583 established a test to determine if a medical professional has breached their duty of care. It led to the proposition that a doctor’s duty is to exercise skill and care in accordance with the reasonable standards by those practising in the relevant medical field. Therefore, if a responsible body of professional opinion considered the doctor’s care was reasonable, then the doctor would not be in breach of the standard of care. If a doctor did breach the applicable standard of care, and if that breach of duty caused an injury, then the doctor can be liable for damages under the common law tort of negligence.

Fitness to Practise

A doctor must be qualified and fit to practise medicine to maintain registration with the GMC and be allowed to practise medicine. 

All doctors must comply with the “Good Medical Practice” standards set out by the GMC.

The standards of doctors by the GMC apply equally to digital and conventional consultations. Doctors should consider which medium is most appropriate for them and their patient. 

In the context of Digital Health/Telemedicine, doctors must consider the clinical risk of not conducting the consultation against any potential risk of using consumer-focused services and apps, such as Skype, WhatsApp, or FaceTime.

Primary care networks (PCNs) can procure approved videoconferencing software. However, when using telehealth, doctors still need to safeguard confidential patient information in the same way they would with any other consultation. They need to take extra care to ensure that all information is recorded in the appropriate care record (as usual); ensure any personal information stored on the doctor’s own device, or obtained through a video or telephone conversation, is safely transferred to the appropriate health and care record as soon as possible; delete any personal information, including back-up data, from the doctor’s own device; and apply his/her own relevant professional standards, as would normally be done. BMA Advice, “Covid-19: video consultations and home working,” 3 June 2020: https://www.bma.org.uk/advice-and-support/covid-19/adapting-to-covid/covid-19-video-consultations-and-homeworking

Although not a regulator of the individual doctors, the CQC registers telehealth/telemedicine service providers in England for the regulated activity of providing triage and medical advice “remotely” when certain criteria are met. Under Schedule 1(9) of The Health and Social Care Act 2008 (Regulated Activities Regulations) 2014, this is defined as, “Medical advice in cases where immediate action or attention is needed, or triage provided, over the telephone or by electronic mail by a body established for that purpose.” The CQC’s guidance published in March 2015 confirmed that remote advice will qualify as a regulated activity when the following are criteria met:

  1. The advice is medical; and
  2. The advice is responsive (i.e., for immediate attention or action); or it constitutes triage (defined in the guidance as “assigning degrees of urgency to diseases, disorders or injuries in order to decide the order and place of treatment for people using the service”); and
  3. The advice is provided over the telephone or by electronic mail; and
  4. The advice is provided by a body established for that purpose (as opposed to, for example, the occasional provision of advice by a hospital or university on an informal basis). 

E-Commerce

Until the end of the Brexit transition period (that ends 31 December 2020), the E-Commerce directive (2000/31/EC) will apply to telemedicine in the UK, as the directive applies to “information society services” defined as any service that is normally provided,

  • For payment,
  • “at a distance” (such that customers can use the service outside the presence of the provider),
  • By electronic means, and
  • At the individual request of a recipient of the service.

This directive was implemented into UK law by the Electronic Commerce (EC Directive) Regulations 2002.

Post-transition period, the retained law will be the E-Commerce Regulations, which will be amended by the Electronic Commerce (Amendment etc.) (EU Exit) Regulations 2019. The most significant impact of the amendments is to the “country of origin” rule such that a UK-established e-commerce operator will no longer be able to benefit from the previous principle allowing an information society service provider to comply with the laws of the country in which it is based. Instead, it will have to comply with the specific requirements of each jurisdiction in which it is active. A UK-based provider will therefore need to do the following:

  1. account for different contracting arrangements/ requirements/information provision rules in each EU jurisdiction post-Brexit transition period (as well as complying with UK requirements when selling in the UK); and 
  2. be mindful of any limitation on offering a telemedicine service which may apply in each jurisdiction where it is active.  

Please see Question 1 and Question 2 (laws and regulations mentioned therein shall also apply to physicians in general).
There is no legal definition of telemedicine in Slovak law. Similarly, as in some other EU member states, telemedicine is not regulated by a specific act. However, Slovakia has a regulatory framework of acts governing the provision of health care in Slovakia, which in general also applies to physicians active in telemedicine (i.e., the Act on Health care Providers, Health Care Workers and Professional Organisations in Healthcare, the National Health Information System Act, etc.). 

Currently, there are no planned legal updates on telemedicine.

10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?

10.1 What are the requirements?

The GMC has published guidance on remote consultations. 9 https://www.gmc-uk.org/ethical-guidance/ethical-hub/remote-consultations and also https://www.gmc-uk.org/about/what-we-do-and-why/data-and-research/research-and-insight-archive/regulatory-approaches-to-telemedicine  Briefly, the doctor needs to consider whether a face-to-face consultation is necessary, or whether remote treatment may be appropriate. If appropriate, then the doctor should obtain the patient’s consent for this method of provision of medical services. If the doctor is not the patient’s usual doctor, then s/he must ask the patient for consent to obtain information and a history from the patient’s GP and to send details of any treatment the doctor has arranged.

Remote consultations via use of telehealth can take place where the patient’s clinical need or treatment request is straightforward; the doctor has access to the patient’s medical records; all the information requested/needed by the patient can be given by telephone, internet, or videolink; the treatment does not require follow-up or monitoring; and the doctor has a safe system in place to prescribe medications if needed. If these are not met, and/or if the doctor needs to physically examine the patient; the doctor is unsure about the patient’s capacity; the doctor is unable to determine that the patient has all the information the patient wants or needs about treatment options; or the doctor is prescribing injectable cosmetic medications, then the consultation must be in person. 

10.2 Were there any new (time-limited) regulation regarding the Sars-CoV-2 pandemic?

Telemedicine/telehealth services and technology were already being used in the UK before the Covid-19 pandemic. However, the pandemic highlighted the need to urgently reduce the risk of staff exposure, increase the supply of PPE, and minimise high patient volume impacts on healthcare facilities. No new regulations or laws have been introduced which specifically regulate the use of telemedicine by doctors. As above, the CQC regulate healthcare institutions in England. As before the Covid-19 pandemic, telemedicine providers in England are required to register with the CQC to perform the regulated activity of “transport services, triage and medical advice provided remotely.” 10 The Healthcare Improvement Scotland (HIS), Healthcare Inspectorate Wales (HIW), and the Regulation and Quality Improvement Authority in Northern Ireland (RQIA), the other 3 national regulators, do not have specific telemedicine policies for healthcare providers.  

At the start of the Covid-19 global pandemic/during the first lockdown period in the UK, primary care and hospital outpatient departments were instructed by England’s Health Secretary to use “digital first” and that all consultations should be done via telemedicine unless there were clinical or practical reasons not to do so. GP practices were advised to move to a “total triage first” model to protect patients and staff from avoidable risks of infection. 11 “How to establish a remote total triage model in general practice using online consultations.” https://www.covid19-gpg.innovationlab.org.uk/topics/remote-working/total-triage-consult 12 A similar approach was taken by Scotland, Wales, and Northern Ireland. However, GP practices must conduct face-to-face consultations where clinically indicated, as discussed in Q10(a)

In Slovakia, there is currently no legislation which explicitly recognises usage of telemedicine by physicians as a manner of provision of the health care. 

Even though no law was adopted to specifically regulate the telemedicine in Slovakia, there has been widespread use of the telemedicine during lockdown period in the spring of 2020 due to Covid-19 pandemic (e.g., physicians conducted online consultations and examinations of patients with chronic illnesses). However, such ad hoc developments in health care have not yet been followed by changes in the Slovak legal environment. 

11. Do the standards of care applicable to physicians change in the context of using telemedicine?

The standards of doctors by the GMC apply equally to digital and conventional consultations.

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

After the doctor verifies the patient’s identity, the doctor will need to confirm consent for a remote consultation and confirm that the patient is in a private area to speak, explaining limitations of the medium used.

If a video consultation is used, then the doctor’s practice should use a system that incorporates a robust identity authentication process, allowing the doctor to control communications with the patient. 13 See https://www.england.nhs.uk/wp-content/uploads/2020/01/online-consultations-implementation-toolkit-v1.1-updated.pdf

Doctors should inform patients that any data/information/photos/etc. sent to the doctor via an app will be added to the patient’s medical record, in order to obtain the patient’s consent to use other media forums for sharing of information.

The same principles of good clinical practice should apply in online consultations as compared to either when speaking to a patient by way of phone or by way of other non-face to face contact. The doctor should see the patient in person if clinically appropriate, confirming the patient’s agreement with management plans, and should ensure to follow GMC requirements for good care.

Data Protection

Under the GDPR, a controller is required to meet transparency requirements, including providing data subjects with information on the processing of any personal data they provide (e.g., using a privacy notice). As explained above, the processing of health data is also subject to additional requirements under the GDPR where a specific condition (such as explicit consent) must be satisfied to permit the processing of such data. (See in particular Articles 9, 13 and 14 GDPR.)

11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

The use of telemedicine does not particularly increase the risk of liability, per se. Doctors are held to the same standards as when not using telemedicine and will need to determine if a face-to-face consultation is necessary. See our response to Question No. 9.

No. There are no specific requirements applicable to physicians using telemedicine. 

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

Not applicable.

11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

Slovak law does not distinguish between physicians’ liability in case of provision of health care using telemedicine and liability in case of provision standard health care.

12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?

The GMC has published guidance for doctors on remote consultations and prescribing. 14 https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/prescribing-and-managing-medicines-and-devices/remote-prescribing-via-telephone-video-link-or-online Doctors must satisfy themselves that they can make an adequate assessment; obtain the necessary information/knowledge about the patient’s health they consider is needed to make a prescription; that the medicine(s) to be prescribed serve the patient’s needs; have access to the patient’s medical records; that a physical examination or other assessment is not first required; and they must obtain a patient’s consent before a prescription can be made via telephone, video-link, or online. Physical examinations are required before prescribing any non-surgical cosmetic medicinal products. Prescriptions for patients in a care or nursing home should be made following communication with the patient and/or the patient’s carer to assess the need for the prescription, and should be followed up with written confirmation.

Slovakia has no specific regulation governing telemedicine. Thus, there are no statutory restrictions on the type of medicine that can be prescribed via telemedicine. 

However, we can draw some practical guidance from practitioners in the healthcare sector. In case of long-term drugs for chronic patients, medicine is often prescribed without the patient being present on site. If the patient is yet to be treated with a new medicine, it is usually necessary for patient to personally visit a health care professional.

13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 

Healthcare in the UK is primarily provided through the National Health Service (“NHS”) which is a publicly funded healthcare system. Responsibility for the NHS is a devolved power, meaning that the devolved governments of England, Scotland, Wales, and Northern Ireland are responsible for the operation of the NHS in those respective UK nations. Our comments here relate to the health service in England, which is the largest healthcare market in the UK. 

As far as NHS patients are concerned, NHS treatment is generally free at the point of demand. However, the NHS does not fund all treatments and products on an unlimited basis. For example, some healthcare products can be subject to health technology assessment (“HTA”) approvals by the National Institute for Health and Care Excellence (“NICE”) in England, which can mandate funding for use in England. The availability on the NHS of other therapies can depend on the therapy being included in area formularies as the result of more localised reviews. As far as digital health apps are concerned, the NHS Apps Library contains apps which have been clinically assessed by the NHS to ensure they meet NHS quality standards for safety, usability, and accessibility. However, there is not yet publicly-funded provision of apps direct to patients. Patients must therefore either self-fund or use free of charge apps. 

Telemedicine services can, in principle, be funded by the NHS through a range of different structures depending on the nature of the service and the context in which it is provided (e.g., primary versus secondary care). For example, primary care services provided by way of telemedicine may be commissioned and paid for by a commissioning body under a standard contract for general medical services. 

13.1 If so, are there any special provisions about the reimbursement/coverage of costs regarding the use of mobile apps that can combine digital health and telemedicine? 

here are no statutory provisions specific to reimbursement/coverage of telemedicine/healthcare mobile apps. However, there are various ways that such a service may be funded by the NHS. For example, as per above, in primary care this could be funded under a contract for general medical services. Alternatively, a telemedicine service may be indirectly funded by the NHS where an NHS provider, such as an NHS hospital Trust sub-contracts part of its service provision to a provider of this type of service. 

13.2 And further, if yes, who is covering the costs for apps that are mostly used by healthcare professionals and by patients?

As per above, this will depend on the type of app. For apps used by HCPs, this will likely be the healthcare provider at which they are employed, which will in turn be funded by way of contracts with NHS commissioning bodies.

Telemedicine is not explicitly recognised as a service reimbursable under the state’s medical insurance.

13.1 If so, are there any special provisions about the reimbursement/coverage of costs regarding the use of mobile apps that can combine digital health and telemedicine? 

Not applicable.

13.2 And further, if yes, who is covering the costs for apps that are mostly used by healthcare professionals and by patients?

Not applicable.

14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are.

Data protection

Besides the legislation referred to above, there are no other specific data protection laws or regulations relating to telemedicine in the UK. 

No, there are no specific rules. General rules according to, e.g., the GDPR, the Slovak Act on Personal Data Protection, and the Act on Electronic Communications would apply.

Current regulations that impact on telehealth may be subject to amendments post-Brexit to take into consideration the UK no longer being in the EU. For example, the current EU Cross-Border Healthcare Directive (2011/24/EU) (“the Directive”) allows British citizens to access healthcare in other EU countries and provides for mutual recognition of prescriptions between the UK and other EU countries. The UK government implemented provisions of the Directive by the National Health Service (Cross-Border Healthcare) Regulations 2013 and the National Health Service Act 2006 in England. 

To protect against a no-deal, Parliament approved the National Health Service (Cross-Border Healthcare and Miscellaneous Amendments etc.) (EU Exit) Regulations 2019, which revokes the 2013 Regulations and ends rights under the Directive for reimbursement of costs of services provided in another EEA state. The 2019 Regulations will likely come into force on 31 December 2020 if no agreement with the EU to facilitate cross-border arrangements beyond the transition period exists by that time. The 2019 Regulations will retire current cross-border healthcare arrangements giving effect to the Directive in domestic legislation but will also enable residents of England and Wales to access cross-border healthcare in countries with whom reciprocity has been established prior to 31 December 2020. 15 See Paras 2.11 – 2.13 and 7.1 – 7.4 of the Explanatory Memorandum to The National Health Service (Cross-Border Healthcare and Miscellaneous Amendments Etc.) (EU Exit) Regulations 2019.  

Unless an EU-UK healthcare treaty is agreed, then British citizens/UK residents will likely lose the cross-border healthcare rights previously enjoyed under the Directive. A case-by-case determination will therefore need to be considered, depending on what has been agreed between the UK and other countries as at 31 December 2020.

With regard to data protection, after the end of the Brexit transition period on 31 December 2020, the UK will have its own data protection regime, separate to EU law. The UK plans to retain the GDPR in its domestic law with some changes (e.g., replacing references to EU entities such as the European Commission with UK entities such as the Secretary of State). In general, the substance will remain very similar. While the UK has made provision for transfers of personal data from the UK to the EEA to continue, it is not yet clear if the European Commission will make an adequacy decision in respect of the UK. Therefore, businesses wishing to transfer personal data from the EEA to the UK will need to consider how to meet the GDPR requirements in respect of international transfers after the end of the Brexit transition period.

Generally, we anticipate that the scope of regulation of digital healthcare and telemedicine will ultimately widen and incorporate services that are not currently captured by existing regulation.

Currently, there are no planned legal updates related to telemedicine. However, there is a growing trend of introducing explicit regulation on telemedicine in neighbouring countries. For instance, the Czech Ministry of Health started works on a legislative framework for telemedicine. The officials from the Czech Ministry of Health indicated, that their inspiration comes from Germany, where legislation regulating telemedicine has already been adopted. 

Based on the above, we believe that there will be similar developments in Slovakia soon. Moreover, the increased need for telemedicine during Covid-19 pandemic may expedite this process.

Picture of Shuna Mason
Shuna Mason
Partner
London
Elizabeth-Anne Larsen
Elizabeth-Anne Larsen
Senior Associate
London
Martina Gavalec
Martina Gavalec
Senior Associate
Bratislava