Tag Archives: healthcare

Italy’s New AI Law: A Boost for Healthcare Research?

Legal news, , , , , , , , , , , ,

Italy has recently enacted its own “Artificial Intelligence Act”, set to take effect on October 10, 2025.

You might be wondering: Did we really need another layer of AI regulation? That was our initial reaction, too. But a closer look reveals that the Italian AI Law introduces several interesting provisions, especially in the healthcare sector, that could facilitate research for both public and private entities. Here are some highlights:

1. Healthcare Data Processing as Based on Public Interest

The law explicitly recognizes that the processing of health-related personal data by:

  • Public or private non-profit entities,
  • Research hospitals (IRCCS),
  • Private entities collaborating with the above for healthcare research,

is of “substantial public interest.” This significantly expands the scope of Article 9(2)(g) of the GDPR, offering a clearer legal basis for processing sensitive data in research contexts.

2. Secondary Use of Data

The law introduces a simplified regime for the secondary use of personal data without direct identifiers. In particular:

  • No new consent required, as long as data subjects are informed (even via a website).
  • Automatic authorization unless blocked by the Data Protection Authority within 30 days of notification.

This provision applies only to the entities mentioned above so it is limited in scope, but in any case significantly strengthens the framework for nonprofit research projects.

3. Freedom to Anonymize, Pseudonymize and Synthesize

Under Article 8(4) of the AI Law, processing data for anonymization, pseudonymization, or synthesization is always permitted, provided the data subject is informed. This is a major step forward in enabling privacy-preserving AI research.

4. Guidelines and Governance

The law delegates the creation of technical guidelines to:

  • AGENAS – for anonymization and synthetic data generation.
  • Ministry of Health – for processing health data in research, including AI applications.

It also establishes a national AI platform at AGENAS, which will act as the data controller for personal data collected and generated within the platform.

Final Thoughts

While the GDPR aimed to support research, its implementation often created legal uncertainty and operational hurdles. Italy’s AI Law appears to address some of these gaps, offering a more pragmatic and enabling framework for healthcare research.

What if hospitals don’t pay?

Legal news, ,

Many of our clients encounter challenging dilemmas when public hospitals fail to reimburse the supplies they provide. Our seminar, held yesterday in our auditorium, was designed to discuss risks and potential solutions.

We regret if you were unable to attend, particularly as it was followed by an enjoyable aperitivo. However, we have included the slides presented by our attorneys, Fabrizio Sardella, Damiano Pallottino, and Francesco Clerici, who offered an analysis of the topic from a criminal, administrative, and civil law perspective.

slidesDownload

A new decree (and new obligations) to tackle counterfeiting in the pharmaceutical sector

Legal news, ,

On January 28, 2025 the Italian government approved a legislative decree (“Decree”) implementing EU regulation 2016/161 through which the European Union has introduced specific measures aimed at fighting counterfeit medicines.

Packaging. Packaging of pharmaceutical products will have to include: (i) a two-dimensional bar code (i.e. “unique identifier”) able to guarantee the authenticity and the identification of the single individual pack of medicinal products; and (ii) an anti-tampering device.

Marketing authorization. Any new or existing marketing authorization (“MA”) requests must include information on the unique identifier and anti-tampering device when it has an impact on the primary packaging, the locking system or the label’s legibility. MA holders must update their MA to ensure full compliance with the new regulation.

Timeline.  The Decree should come into force on February 9, 2025, but its publication in the official Gazette is still awaited. However, the Decree has provided for a transition period between February 9, 2025, to February 8, 2027, where it will be possible to continue using the old “Bollino” system without incurring penalties.

Sanctions.  The manufacturer who does not apply and activate the unique identifier may be sanctioned with an administrative fine ranging from Euro 10,000 up to 60,000 for each batch. An MA holder may be sanctioned with a fine, ranging from Euro 10,000 up to 60,000 for each batch, for trading a medical product lacking an anti-tampering device. Manufacturers, wholesalers, and suppliers of medicines to the public who do not notify immediately to the competent authorities of any case of tampering or counterfeiting may be sanctioned with a fine starting from Euro 20,000 up to Euro 80,000 for each batch.

Happy GDPR-compliant Xmas and a prosperous new year!

Legal news, , , , , , , , , , , , , ,

Winter recess is about to start. While we’ll all be resting, GDPR will not!

While we will all be recharging our batteries to tackle the challenges for the upcoming 2025, GDPR will not go on vacation, and will thus never be out-of-office!

Check out the following tips that the Italian Data Protection Authority has recently issued in order to avoid threats to your privacy rights during the upcoming vacations:

  • Are you receiving plenty of virtual greetings and commercial offers? Be careful about them, even if apparently sent by a friend or parent: they may contain viruses, obscure links or may hide tentative of phishing. Not all presents may be welcome.
  • Have you taken good family pictures that you wish to share on your social network? Don’t forget to ask consent of all depicted individuals. Is your grandpa going to provide his consent as well?
  • Have you filmed your children’s Christmas pageant? Keep it for yourself! You’d need consent from all depicted individuals for publishing (including from their parents in case of minors).
  • Are you wishing to download any specific Christmas-related app on your smartphone? Choose them carefully, check their issuer and the reviews. You may inadvertently be downloading the Grinch’s one!
  • Are you going away for a trip? Don’t share too much information and pictures on your social media about your time off, your house and your vehicles, as it may attract thieves. Only Santa Claus shall be allowed to break in without your consent!
  • Are you connecting with your hotel’s or restaurant’s Wi-Fi? Ask the staff about its security: they may not be protected enough.
  • Have you bought any “smart” presents for your little nephews? Check whether they may collect any personal data from their users. In the affirmative, make sure that they will not harm them in any way possible.

Our own additional tips: rest, enjoy good food, spend time with your loved ones, and get ready for 2025! We wish you happy holidays and a healthy and successful new year.

Gitti and Partners Life Sciences Team

Don’t Miss our European Biotech Week 2024 Webinars

Events, , , , , ,

Hungry for content? The life sciences practice of Gitti and Partners has an interesting program of webinars/seminars in store for you within the framework of the EUROPEAN BIOTECH WEEK 2024:

See you soon!

Processing Health Data: the Most Recent Amendment to Italian Privacy Code

Legal news, , , , , , ,

The Italian “Privacy Code” (Legislative Decree No. 196/2003), which governs data protection in Italy together with the European GDPR, has recently been amended.

Law No. 56/2024, further implementing the National Recovery and Resilience Plan, intervened on section 110 of the Privacy Code, which deals with the processing of health-related data for the purposes of medical, biomedical or epidemiological scientific research.

Section 110 provides that consent of the data subject for the processing of health-related data for the purpose of medical, biomedical or epidemiological scientific research is not required when:

  • the research is carried out on the basis of legal provisions or European Union law, when processing is necessary for scientific research or statistical purposes, provided that an impact assessment is carried out pursuant to sections 35 and 36 of the GDPR; or
  • informing the data subject is impossible or involves a disproportionate effort, or would render impossible or seriously jeopardise the attainment of the purposes of the research.

In such cases – before the latest amendment – the data controller had to:

1) take appropriate measures to protect the rights, freedoms and interests of the data subject;

2) obtain a favorable opinion of the competent ethics committee; and

3) consult the Italian Data Protection Authority prior to processing.

The obligation to consult the Italian Data Protection Authority has now been repealed. Thus, there is no need to apply for the Authority’s clearance prior to processing health-related data (in those cases where consent of the data subject is not required under section 110 of the Privacy Code). 

This amendment may have a significant impact especially on retrospective studies for which informing data subjects is particularly burdensome. The data controller will, in fact, be able to proceed without the Authority’s permission. Nonetheless, the data controller will still have to comply with specific guarantees and ethical rules issued by the Authority – as specified by the amended section 110.

On the one hand, the amended section 110 seems to favor accountability and to soften the procedural requirements in processing health data for research purposes, making the overall procedure quicker. When it comes to “secondary use” of health data, the accountability approach should be considered strong enough to protect data and favorably welcomed, as it moves in the same direction of the European Health Data Space – which intends to provide a reliable and efficient system for the re-use of health data in areas as research and innovation.

On the other hand, though, the Italian Data Protection Authority has already issued some interim guarantees, specifying that data controllers – when processing health data related to deceased or non-contact subjects – must carry out and publish an impact assessment, pursuant to section 35 of the GDPR, notifying it to the Authority. It remains to be seen how the amendment will be handled by the Authority in practice: the effects of the simplification provided by the new version of section 110 may be diminished if the guarantees set forth by the Authority generate equally articulate procedures.      

Processing of personal and health data through apps and online platforms aimed at connecting HCPs and patients: the new digest of the Italian DPA

Legal news, , , , , , , , , , , , , , , , , , , , , ,

On March 2024, the Italian Data Protection Authority (“Italian DPA”) has issued a new digest (“Digest”) relating to the processing of personal data, whether or not concerning health data pursuant to section 9 of the GDPR, carried out through the utilization of platforms, accessible through apps or web pages (“Platforms”), that aim to facilitate connection between healthcare professionals (“HCPs”) and patients.

The use of such Platforms poses high risks to the protection and security of patients’ personal data, and in particular health-related data, given that the latter are subject to an enhanced protection regime set forth by section 9 of the GDPR. 

The Digest seeks to summarize the applicable data protection rules that may be followed, and defines the roles of the parties, as well as the legal bases, applicable to (i) the processing of personal data of the users by Platform’s owners; (ii) the processing of HCP’s personal data by Platform’s owners; and (iii) the processing of health data of the patients by the Platform’s owner and by the HCPs.

Additional guidance is provided as to:

  • The necessity for the Platform’s owner to carry out (and periodically update) a data protection impact assessment (DPIA) pursuant to section 35 GDPR, since the use of Platforms determine a “high risk” processing of personal data, as such kind of treatment automatically meets the criteria issued by the European Data Protection Board for the identification of the list of data processing that may be deemed subject to the duty to perform a DPIA;
  • Which information notices should be provided, by who and to whom, as well as the contents that such information notices should have in each case, according to sections 13 and 14 GDPR;
  • The specific rules applicable to cross-border data transfers and data transfer to third countries.

Lastly, the Digest includes a list of the most common measures that are taken by the data controllers to ensure an appropriate level of technical and organizational measures to meet the GDPR requirements, such as encryption, verification of the qualification of the HCPs that seek to enroll within the Platform; strengthened authentication systems, monitoring systems aimed at preventing unauthorized access or loss of data.

The Digest should be very welcomed by the Platform’s owners, as it now gives a reliable and complete legal frame that may be followed in order to set up a Platform in a way which is compliant with the GDPR principles.

The Italian Government Fund for the Governance of Medical Devices

Legal news, , , , , , , ,

With Ministerial Decree dated December 29, 2023, the Italian Ministry of Health has established criteria and methods for feeding the fund dedicated to the governance of medical devices, the so-called “Fondo per il governo dei dispositivi medici” (Fund for medical devices governance, “Fund”).

Key Features

  • Annual payment obligation.  Companies manufacturing or distributing medical devices, large medical equipment and in vitro diagnostic medical devices must pay a sum equal to 0.75% of the company’s previous year turnover from the sale of such devices to the National Health Service, net of VAT.
  • Annual Declaration Requirement.  Companies must submit an annual statement to the Ministry of Health regarding:
    • The estimated amount of 0.75% of the above-mentioned turnover.
    • The company’s previous year turnover to the National Health Service, net of VAT;
  • Use of the Fund. The Fund will be used for various activities related to Health Technology Assessment and governance of medical devices (including the management of the National Price Observatory, the vigilance system and the market surveillance system).
  • Deadlines and next steps. The first deadline for compliance with the fund regulations is set for December 31, 2024.

Companies are currently assessing whether the Fund can be challenged in court with arguments that may be similar to those raised in the so called “payback” litigation, which will see its day in Court (namely, the Italian Constitutional Court) on May 22, 2024.

Implementation of the “231” Compliance Model in the Pharma Industry: New Guidelines issued by the Italian Association of Pharmaceutical Companies

Legal news, , , , , , , , , , , , , , , ,

On September 5, 2023, the Italian Association of Pharmaceutical Companies (“Farmindustria” – https://www.farmindustria.it/) has issued guidelines to design an organizational model pursuant to the Legislative Decree 231/2001 in the pharmaceutical sector (“Guidelines”).

In particular, the Guidelines, by taking into account the main peculiarities of the pharma industry, seek to identify the typical activities that are most at risk for the commission of criminal offences, and provide detailed guidance about the main policies and preventive actions that should be carried out by companies in order to prevent their commission.

As expected, the highest risks concern relationships with public officials, which may lead to crimes such as corruption or fraud against the State, with significant advantages for pharma companies.

The Guidelines seek to drive the attention of companies involved in the pharma sector on the risks that are latent in the following areas:

  • Relationships with healthcare professionals (“HCP”) and healthcare organizations (“HCO”): compliance programs should regulate activities of the key account managers and their bonuses, sponsorship of congresses, grants and donations to HCOs, gifts to HCPs, as well as other sponsorship or advertisement activities;
  • Relationships with Public Authorities: many interactions with public officials may entail corruptions risks, such as, e.g., obtainment of Market Authorizations, price reimbursement negotiations with the Italian drug regulatory agency (AIFA – https://www.aifa.gov.it/), management of site visits and inspections, participation and execution of public tenders for the supply of drugs to HCOs;
  • Relationships with private entities: relationships with suppliers providing services in the context of clinical studies, pharmacies, patient advocacy organizations, patients and “expert patients”, or management of patient support programs also need to be regulated.

The Guidelines also offer a complete set of policies and other preventive remedies that may be sufficient to prevent the envisaged criminal risks.

The Guidelines are a useful tool for pharma companies and no similar initiatives have been taken by other associations with regard to different industries and sectors. The Guidelines also constitute a benchmark for best practices that will be difficult to ignore.

Do you need help in designing or updating your company’s “231” compliance model? Do not hesitate to reach out!

AI and Healthcare: Recommendations by the Italian Data Protection Authority

Legal news, , , , , ,

The use of Artificial Intelligence in healthcare continues to grow and it is poised to reach 188 billion by 2030. It also raises many concerns.

The Italian data protection authority (Garante) has recently issued recommendations based on 10 points, which can be found here.

The Garante particularly insists on:

  1. Human in the loop: a human being must be involved in the control, validation or change of the automatic decision;
  2. No algorithmic discrimination: trustworthy AI systems should reduce mistakes and avoid discrimination due to inaccurate processing of health data;
  3. Data quality: health data must be correct and updated. Representation of interested subjects must correctly reflect the population.
  4. Transparency: the interested subject must be able to know the decisional processes based on automated processes and must receive information on the logic adopted so as to be able to understand it (easier said than done!). The Garante also requires that at least an excerpt of the Data Protection Impact Assessment is published.

Other recommendations are not surprising for anyone familiar with the GDPR:

  • Profiling and decisions based on automated processes must be expressly allowed by Member State’s laws.
  • The principles of privacy by design and privacy by default obviously play a big role in healthcare AI systems.
  • Roles of controller and processor must be correctly allocated: in particular, the public administration must ensure that external entities processing data are appointed as data processors.
  • A Data Protection Impact Assessment must be carried out and any risks must be evaluated.
  • Integrity, security and confidentiality of data must be ensured.

Striving for genuine transparency in connection with very complex and rapidly evolving algorythms is not going to be an easy task for the data controller. Similarly, understanding how AI works in a healthcare setting is not going to be simple for patients.