Tag Archives: medical app

Electronic medical records and patients: a love and hate relationship.

What’s the status of e-health in Italy?

A fairly reliable benchmark may be represented by the implementation of the Electronic Medical File (Fascicolo Sanitario Elettronico) (“EMF”). The EMF was first introduced by Law Decree nr. 179 of 2012, as converted into law no. 221 of 2012; it was then implemented by way of Ministerial Decree dated September 3, 2015. The purpose of the EMF is to provide a tool to patients and healthcare professionals by collecting and providing web access to health-related data like hospitalizations, medical checks, drug administration, home assistance, and access to emergency rooms. In other words, the EMF promises to make all data relating to patients’ health readily available and accessible from any place in the world at an unparalleled speed.

Despite the intents, the new comprehensive tool is far from reaching the expected success.

Why that?

A legal-related reason may lie in the privacy concerns that the creation, population and maintenance of EMFs bring about. EMFs are in fact populated with data collected by healthcare professionals in the course of patients’ lives. The fear that data may be inadequately protected on the internet, and thus inappropriately divulged, may in fact push patients to deny their consent to the creation and population of EMFs. After all, although data are supposed to be processed in accordance with the provisions of the Code for the Digital Administration, and appropriate measures must be taken in order to ensure access authentication and authorization, suspicion may still populate patients’ mind as to the safety of the data processing.

Quite interestingly, a more common reason seems however to prevail. Italians just do not know about the EMF! According to a survey carried out by the Observatory for Digital Innovation in Health on a sample of 1,000 citizens, 83% of them has never heard about the EMF before, 88% ignores if such service is currently active in their Region, and 95% has never sought information about it[1]. Also, EMF seems not to be the most appealing item in blog discussions: out of 400,000 comments on e-health on the web, only 11% relates to the EMF[2]. Such a low impact seems to go hand in hand with quite a low use of other e-health services provided by hospitals and other health-care centers. Only a few patients seem in fact to have taken advantages of services like on-line booking of medical checks, testing records, and payments[3].

If, as mentioned, psychology plays a major role in the implementation of the EMF, so do the efforts thus far made by Regions and healthcare professionals. An inquiry into the implementation of the EMF in the Emilia Romagna Region reveals that not all services set forth in the law are currently included in the available EMF, and the availability of the services may depend on where the interested patient resides[4]. Also, hospitals and healthcare professionals seem to be responsible for having passively accepted the EMF, without truly understanding its potential[5]. Health-care professionals are reported to oftentimes look at the EMF as a burden rather than a revolutionary tool[6]. Lastly, many hospitals and healthcare centers keep on maintaining their independent presence on the web in parallel; as a consequence, patients rely on their website to use services that would be available on the EMF[7].

What can be done?

Perhaps the EMF would be more popular if patients were able to enjoy it through a mobile app, provided that security concerns are adequately addressed. Patients may thus access the EMF more easily, monitor the processing of the collected data and promptly report any inaccuracy or errors. However, if this suggestion may represent an improvement, it would in any case require further education and promotion through healthcare professionals and healthcare centers.

[1] Il Sole 24 Ore Sanità, September 29 – October 5, 2015, page 10.

[2] Ibidem.

[3] Ibidem.

[4] Il Sole 24 Ore Sanità, October 20 – October 26, 2015, page 8.


[5] Il Sole 24 Ore Sanità, October 20 – October 26, 2015, page 8.

[6] Ibidem.

[7] Ibidem.

Medical Apps and the Law, Part II – Medical Apps: Helpful or Harmful?

A BOOMING MARKET. The idea of running software on a mobile device with healthcare uses has been discussed as early as 1996[1]. However, the issue has assumed explosive proportions in recent years, thanks to the spreading of an “app mentality” among health care professionals and consumers, and its potential, given cloud computing, social networks and big data analytics, could be yet to be realized. According to a March 2014 BCC report, this growing trend will be continuing in the next years[2]. App stores offering thousands of medical app also confirm the trend, as about 97,000 mobile health apps in 62 app stores according to a Research2Guidance market report of last year. Hardware manufacturers are certainly not immune to the medical app fervor, and – for example – the new smartphone Gear 2 Neo by Samsung, launched on April 11, 2014 by Samsung in 125 countries, incorporates a heart rate sensor.


ACCORDING TO THE EU COMMISSION, MEDICAL APPS AND E-HEALTH HAVE GREAT POTENTIAL.  What is the view of the authorities on this phenomenon? The potential of apps makes them app enthusiasts, the reality of apps worries them. The European Commission believes in medical apps, which can be leveraged in order to eliminate barriers to smarter, safer, patient-centred health services. Further, digital health could also be a promising factor to cut Member States’ budget[3] while – in the words of the Commission – “putting patients in the driving seat[4]. The reality of the app market, however, does not necessarily boost patient empowerment. In fact, the Commission noted that there are substantial risks connected with the way apps are currently marketed: information to consumers is not clear, the trader’s contact details are not easy to find, the use of the term “free” is often misleading[5].


ENFORCEMENT ACTION BY THE ITALIAN DATA PROTECTION AUTHORITY. On September 10, 2014 the Italian Data Protection Authority has issued a warning regarding data protection risks inherent to medical apps (“Medical Apps: More Transparency Is Needed On Data Use”) promising future sanctions. The Authority found that insufficient information to users prior to installation, as well as the processing of excessive data. The survey conducted by the Italian Data Protection Authority involved a total of 1,200 apps and the findings thus obtained were striking: (i) barely 15% of them provided meaningful privacy notices; and (ii) in 59% of the apps reviewed the Authority found it hard to locate pre-installation privacy notices. The stance taken by the Italian Data Protection Authority echoes the Opinion 02/2013 by The “Article 29 Data Protection Working Party”, which had identified lack of transparency, lack of free informed consent; poor security measures; disregard for the principle of purpose limitation requiring processing of personal data only for specific and legitimate purposes.


CONSENT IN WRITTEN FORM: A REQUIREMENT PECULIAR TO ITALIAN LAW.  Italian legislation includes a couple of additional requirements, which could kill the medical app market. We note, however, that they have not been mentioned by the Italian Data Protection Authority in their September 10, 2014 warning so it is unclear whether there is any appetite for enforcing them. In addition to a specific authorization by the Data Protection Authority, typically substituted by a general authorization such as this, Section 23 of the Data Protection Code requires that consent to process sensitive data, such as health data, must be given in written form, a requirement which is not satisfied by a mere “click” on the smartphone, but would only be satisfied by the digital or qualified electronic signature in accordance with Italian legislation. This obstacle could be solved only when (and if) the proposed EU Data Protection Regulation enters into force and repeals the existing Italian Data Protection Code, as consent to process sensitive data shall have to be “freely given, specific, informed and explicit” and the controller shall bear the burden of proof of such consent, but consent in written form would no longer be required.

[1] Regulation of health apps: a practical guide”, d4Research, January 2012, citing material from the Conference of the American Medical Informatics Association Fall Symposium of 1996.

[2]This market is expected to grow to $2.4 billion in 2013 and $21.5 billion in 2018 with a compound annual growth rate (CAGR) of 54.9% over the five-year period from 2013 to 2018”.

[3]In Italy, overall savings from the introduction of ICTs in the Health Sector are estimated to be around 11.7% of National health expenditure (i.e., €12.4 billion). Savings from digital prescriptions alone are estimated to be around €2 billion”. European Commission Memo of December 7, 2012 “eHealth Action Plan 2012-2020: Frequently Asked Questions”.

[4] It should be noted that, while the Commission is a fervent proponent of eHealth (see also the recent Green Paper on mHealth), there are strong limitations to its actions given its lack of competence in healthcare delivery and financing, which is entirely up to Member States. The effectiveness of eHealth solutions in Europe require the commitment of Member States to implement organizational changes which make patient-centric eHealth solutions an integral part of their healthcare systems, a task that each Member State is pursuing with various degrees. A March 24, 2014 press release by the European Commission commenting on two European surveys on the use of eHealth (including Electronic Health Records, Health Information Exchange, Tele-health and Personal Health Records) showed that many critical issues still exist: lack of penetration, lack of interoperability, and lack of regulatory certainty, to name a few.

[5] Focus of the Italian Antitrust Authority has so far been on game apps, rather than medical apps: it, too, found that apps were misleadingly presented to users as free, while they were not.

Medical Apps and the Law Part I – What is a medical app? Perhaps it is a medical device. Find out!

Technology often starts in a simple way, perhaps with a simple “click” on an “I AGREE” button on your smartphone. Once the technology has spread, lawyers and authorities start debating what it is and how it fits with the laws.

The following post is the first part of a legal analysis of medical apps attempting to establish what they are under current legislation (Part I), as well as what is wrong with them according to various authorities who have scrutinized them (Part II).

 I keep reading and hearing that apps are not regulated and that the European Union stands behind than the United States in that process. Both statements are wrong. Medical apps can be regulated, if they fall within the scope of the definition of “medical device”. The trick is to find out if they do…

It probably takes less time to download a medical app on your smartphone than to determine if it falls under the definition of “medical device”[1]. Where to look for guidance?

THE EU COMMISSION GUIDELINES. In June 2012 the European Commission has issued Guidelines (MEDDEV 2.1/6) in order to attempt to clarify when standalone software is a medical device. A 6-step decision diagram is also provided by the Guidelines as an aid to decide if a medical application is a medical device. If the medical app is indeed a medical device, then a conformity assessment is required and the app must carry the CE marking.

One key element stands out in order to decide whether a medical app is a medical device: its intended use. This has been further emphasized in the Brain Products GmbH case (Case C-219/11) decided by the European Court of Justice regarding an electro-technical system enabling human brain activity to be recorded. The Court stated that “a device used in humans for the investigation of a physiological process falls within the scope of Directive 93/42 only if the intended purpose of that device, defined by its manufacturer, is medical”, while specifying that the fact that the software is used in a medical context is not sufficient to trigger its qualification as “medical device”. Therefore, the intended use of a device is up to the manufacturer, although – as the influential medical device counsel and blogger Erik Vollebregt puts it – “you cannot disclaim an obvious intended purpose as this would amount to a contradictory label and consequently a non-compliant product”.

THE FDA’s VIEW. On September 23, 2013 the United States Food and Drug Administration tackled the same problem and issued a guidance documentto clarify the subset of mobile apps to which the FDA intends to apply its authority”, because while “The FDA encourages the development of mobile medical apps that improve health care and provide consumers and health care professionals with valuable health information.”, however “The FDA also has a public health responsibility to oversee the safety and effectiveness of medical devices – including mobile medical apps.

FURTHER HELP FROM THE UK. On March 21, 2014, the United Kingdom Medicines and Healthcare Products Regulatory Agency (MHRA) has also issued guidelines to help “healthcare and medical software developers who are unsure of the regulatory requirements for CE marking stand-alone software as a medical device”. The MHRA indicated that software functions that, e.g., analyze, alarm, calculate, control, convert, diagnose, measure, monitor, are likely to lead the app to be considered as a medical device.

REALITY CHECK! The intention of the EU Commission, the FDA and the MHRA to clarify the regulatory framework is commendable and guidelines abound (see also the D4Research guide), but how many mobile medical apps actually bear a CE marking? How many app developers, app stores and app users are even aware of such requirements? I have witnessed awards granted to apps and eHealth projects which showed no awareness of the regulatory aspects. Announcements to “crack down” on illegal apps have been issued (e.g., by the Dutch authorities). What is happening in Italy? While the Ministry of Health is developing its own apps, its general manager Dr. Marletta in December 2013 has announced that the explosion of medical app use is an area of concern, especially with regard to risks and liabilities, which will be monitored by the authority going forward. Actual enforcement action, however, is still to be seen.

THE PROPOSED MEDICAL DEVICE REGULATION: WHAT MAY HAPPEN NEXT.  If the Proposal Regulation replacing the Medical Device Directive sees the light, software will be expressly regulated and specific quality requirements will apply concerning the following aspects:

  • software design must ensure repeatability, reliability and performance according to the intended use;
  • appropriate means to eliminate or reduce as far as possible and appropriate consequent risks in case of single fault condition;
  • software must be developed and manufactured according to the state of the art taking into account the principles of development life cycle, risk management, verification and validation;
  • if intended to be used in combination with mobile computing platforms, software must be designed and manufactured taking into account the specific features of the mobile platform (e.g. size and contrast ratio of the screen) and the external factors related to their use (varying environment as regards to level of light or noise).CONCLUSIONS. Medical apps do not stand in a regulatory vacuum: if they fall within the definition of “medical device”, they are subject to essential requirements and should bear the CE mark.
  • INSTRUCTIONS FOR USE FOR MEDICAL APPS: IN WHICH FORM? We note that, under the e-labeling regulation (Regulation no. 207/2012) entered into force on March 30, 2013, stand-alone software that is deemed to be a medical device can have instructions for use in electronic form, provided that the devices are intended for exclusive use by professional users and that the use by other persons is not reasonably foreseeable. Instead, if the app is a medical device but intended for a patient, instruction for use in paper form must be provided. This requirement appears both unpractical[2] and unreasonable given that a patient downloading an app seems “digital” enough to be sufficiently protected by electronic instructions.

[1] The very definition of medical device included in Directive 93/42/EEC, as amended by Directive 2007/47/EC, includes software. In fact, “’medical device’ means any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, together with any accessories, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings for the purpose of:

  • diagnosis, prevention, monitoring, treatment or alleviation of disease;
  • diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap;
  • investigation, replacement or modification of the anatomy or of a physiological process,
  • control of conception,

and which does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its function by such means;”.

[2] An average smartphone user downloads 37 apps, according to the Opinion 02/2013 on apps on smart devices by the Article 29 Data Protection Working Party, page 2.