Contributed By Meythaler & Zambrano
The Right to Privacy in Ecuador
Personal and family privacy are among the freedoms/rights recognised and guaranteed by the Constitution of the Republic of Ecuador.
The confidentiality of personal information includes ideology, political affiliation, union affiliation, ethnicity, health status, sexual orientation, religion, immigration status and other information related to personal privacy, especially any information whose public use violates the human rights enshrined in the Constitution and any other international instruments.
Any information that has been declared private by the competent authority is also confidential, as well as any information protected under banking or stock exchange secrecy, and any information that could affect the internal or external security of the State.
Health Data
Regarding health information, any technological platforms that collect and store patients’ clinical information must have the prior and express consent of the owner of the data.
On 26 May 2021, the Personal Data Protection Law was published, which imposes new rules regarding health information collected to provide health services.
This regulation defines health-related data as personal data relating to the physical or mental health of an individual, including the provision of healthcare services, which reveal information about his or her health status.
According to this law, the treatment of health-related data from a patient must comply with the following minimum parameters, from both a regulatory and a technological point of view.
According to Ecuadorian regulations, telemedicine or digital medicine is a mechanism implemented to improve access to health and medical care for people, and link information and communication technology with medicine.
In this way, telemedicine has been regulated in different legal and regulatory instruments, such as Ministerial Agreement No 5169, through which the Operational Guidelines for the Implementation of a Comprehensive Healthcare Model (MAIS) and the Comprehensive Public Health Network (RPIS) were issued in 2015.
However, to date, Ecuador has not implemented a specific regulation on telemedicine that comprehensively develops the management and procedures for the provision of this service; therefore, telemedicine is governed by general rules that allow its application in both the public and private sectors.
The Ministry of Public Health, as the National Health Authority, sought to implement structural changes in the health sector which would serve as a guide for the implementation of the MAIS with a family, community, and intercultural approach, governing the development of the RPIS and the complementarity with the private sector of the National Health System.
Therefore, there are general concepts contemplated in Ministerial Agreement No 5169, which explains, in general terms, certain concepts and procedures for the provision of remote medical health services (telemedicine), which are of direct application, including the following:
On 27 July 2022, Ministerial Agreement 22 was issued by the Ministry of Telecommunications and Information. This agreement includes Digital Healthcare as Pillar 4, with the objective of promoting programmes and projects in digital healthcare, considering the promotion of telemedicine and preventive healthcare services in rural areas and among priority groups.
Telemedicine, by its nature, is strictly linked to information and communication technologies, replacing, in many cases, the traditional way in which medicine has been provided. Therefore, the provision of remote medical services involves many different services and technologies, including communications, databases, internet and intranet resources, and the transmission and/or filing of images that go beyond the traditional concept of medicine.
In this sense, it is important to consider that Ministerial Agreement 22, issued by the Ministry of Telecommunications, included the Digital Transformation Agenda, which aims to establish a co-ordinated multisectoral work framework that establishes lines of action for the country’s digital transformation process, defining its governance and institutional framework, and considering the transversality of information and communication technologies.
Telemedicine is approached for the purposes of the digital transformation agenda as a healthcare service, in which distance is a critical factor, performed by professionals using information and communication technologies to exchange data, make diagnoses, recommend treatments, prevent diseases and injuries, as well as for the ongoing training of healthcare professionals, and in research and evaluation activities, with the aim of improving the health of individuals and the communities in which they live.
Unfortunately, there have been no regulatory advances in this area on the part of the healthcare authorities. This is why the implementation of regulatory frameworks that allow the inclusion of telemedicine platforms for the benefit of patients continues to be a challenge for both the National Healthcare System and telecommunications, but there are no private regulations or limitations.
In this respect, Ministerial Agreement No 016-2018 emphasises the value of promoting telemedicine through pilot projects: “This project aims to help the National Health System (SNS) reach the entire Ecuadorian population, universally and at no cost, through strategic alliances between the public and private sectors, with the application of information and communication technologies, through the Infocentros Project, thus promoting the development of the information and knowledge society. Implementing a telemedicine/teleconsultation system among the medical staff of the Ministry of Public Health in rural areas, for a second opinion, with the support of specialists of the Medical Systems of the Universidad San Francisco de Quito, through the Infocentros Network, for the benefit of the most vulnerable.”
Digital medicine in Ecuador has not been regulated; however, the onset of the COVID-19 pandemic has led to the frequent application of telemedicine, which has been accepted by the Health Authority under the general rules for the provision of health services and the Code of Medical Ethics.
This situation has led to the identification of several areas that are emerging in the field of digital medicine, and on which regulation is necessary, which is a key challenge because it has a direct impact on the right to health and society in general.
The first issue has to do with the precision of the provision of health services and with the limitations of the applicability of telemedicine. Since there is currently no specific regulation, this scope of telemedicine is established and applied by the health professionals themselves, who must assess the relevance of its application to avoid errors in diagnosis or treatment, and to be able to establish precisely when to refrain from providing digital services.
However, digital medicine also includes the appropriate use of electronic medical records, for which appropriate technological systems, prescription tools, etc, must be applied. This is not regulated at the moment, but it is important to avoid errors and the possible liability of physicians.
It will also be necessary to regulate the responsibility of patients in complying with medical recommendations and in managing their health situation with the tools provided digitally.
In other words, digital health technology has generated the need for the regulation to change and adapt to new circumstances, with the ultimate goal of benefiting the patient.
Although in Ecuador there is no specific regulation on digital healthcare technologies and digital healthcare services, these have been applied for the management and control of the pandemic in all public and private health facilities.
Several advantages can be identified from this, for example:
In May 2023, the National Emergency Operations Centre (EOC) joined the declaration of the World Health Organization (WHO) regarding the end of the COVID-19 emergency. The Ministry of Health prepared a technical report that served as the basis for the conclusion that the country has a high level of immunity, sufficient vaccine stock, and a successful immunisation process; therefore, COVID-19 is no longer considered a public health emergency in Ecuador.
Notwithstanding the above, several of the healthcare mechanisms implemented at the public and private levels during the pandemic, have already been established as common means of healthcare delivery, and this includes digital means of healthcare.
One of the advances in this sense is contemplated in the issuance by the Healthcare Authority of the Instructions for the Control of Patient User Safety Practices, which contemplates the use of physical and digital tools to ensure timely and safe access to healthcare information.
In Ecuador, several authorities are involved in digital medicine, led by the Ministry of Public Health (MSP) and its affiliated entities, such as the National Agency for Regulation, Control and Health Surveillance (ARCSA) and the Agency for Quality Assurance of Health Services and Prepaid Medicine (ACESS).
The MSP is responsible for the exercise of the managing role in health, as well as having responsibility for the application, control, and surveillance of compliance with the Personal Data Protection Law, and whose responsibilities are detailed exhaustively in Article 6 of the aforementioned Law.
However, in Ecuador, there is also the ARCSA which has among its powers the sanitary registration of drugs and medical devices that may be useful in the field of digital medicine.
ARCSA’s attributions are generally related to the application and observance of guidelines, technical regulations, standards, and protocols governing products for human use and consumption.
Finally, there is the ACESS which has among its powers:
The entity must also promote and encourage the continuous improvement of the quality of healthcare and patient safety in public, private and community healthcare services.
The regulation of digital medicine has not been developed in recent years; in fact, in Ecuador, there are only regulatory norms with vague provisions on the subject.
Until the year 2022, it was expected that the regulation in this area would advance with the issuance of the new Organic Health Code.
However, the National Assembly decided to temporarily shelve the debate related to the Health Code, so its enactment was put on hold and, to date, there is no plan to resume the approval process.
However, the entities in charge of public policy continue to make efforts in this area, one of which includes the issuance of the Ten-Year Health Plan 2022-2031 by the National Healthcare Council, an entity attached to the Ministry of Health through which the “Digital Health Commission” was created, with the aim of drafting the regulations to govern telemedicine services in Ecuador.
The Ministry of Telecommunications and the Information Society issued the Digital Transformation Agenda, one of the pillars of the Digital Culture and Inclusion Axis is Digital Healthcare. The lines of action in healthcare are:
Key Areas of Regulatory Enforcement
The provision of healthcare services and devices is currently governed by the Organic Health Law. This law determines the administrative infractions in healthcare matters, which cover aspects related to both the provision of healthcare services and the commercialisation and administration of products subject to control and surveillance.
Regarding the provision of healthcare services, the Organic Health Law covers aspects related to the authorisation of professional practice, the registration and obtaining of permits, the adequate provision of services according to the specialty, the issuance of medical prescriptions, as well as the possibility for the national healthcare authority to conduct investigations relating to illegal practices, lack of expertise, impropriety, and non-compliance, in the exercise of healthcare professions, without prejudice to the actions of the ordinary justice system.
Regarding the commercialisation and administration of products subject to control and surveillance, the Organic Health Law includes the control of drugs, medical devices, biological products, food supplements, cosmetics, etc. In general, if irregularities are found in the importation, storage, distribution, transportation, advertising, promotion or pricing of these products, the Health Authority may issue sanctions.
Sanctions under the Healthcare Law may include a fine, as well as forfeiture and/or suspension of operations or professional practices.
This law establishes that this authority may prosecute a professional or establishment ex officio or by the complaint.
Administrative Procedure
Once alleged non-compliance with the law is determined, the corresponding health authority (Commissioner, Co-ordinator or Director) will issue an initial order that will include the date and time for the trial hearing to take place.
At the trial hearing, the offender shall be heard, and shall intervene himself or herself or through his or her attorney; the evidence submitted by him or she shall be received and added to the proceedings.
If so-requested by any of the parties or ex officio, in the same proceeding, the case shall be opened for trial for a term of six days, in which all the evidence requested shall be taken.
The resolution issued may be appealed before the superior hierarchical authority in a second and final instance.
Sanctions
In sanctioning matters, in addition to the Organic Healthcare Law, the Organic Administrative Code is also applicable regarding the conduct of the administrative procedure, guarantees of due process, and the right to defence.
In this sense, the regulatory entities have issued resolutions emphasising that, in all administrative sanctioning proceedings, the alleged offender shall be guaranteed the following:
In these contexts, it is important to note that, for the implementation of telemedicine, the Ministry of Telecommunications and the Information Society are involved, which through Ministerial Agreement No 22, approved the Digital Transformation Agenda in Ecuador, which highlights the importance of telemedicine, indicating the following:
In addition, the Ministry of Public Health, through the National Healthcare Council CONASA, is a relevant authority in this area, after the formation of the Digital Healthcare Commission, through which the new regulations on telemedicine and related aspects will be developed.
The National Health System Law defines health services as those intended to provide healthcare, promotion, prevention, recovery and rehabilitation on an outpatient, home, or inpatient basis, classified according to their resolution capacity, levels of care and complexity.
According to this law, a clear distinction is made between preventive and diagnostic healthcare.
The Health Authority must issue a Comprehensive Health Plan, which is guaranteed by the State, as a strategy of Social Protection in Health, will be accessible and of mandatory coverage for the entire population, through public and private providers.
As far as preventive healthcare is concerned, the Integral Health Plan provides:
For diagnostic healthcare, the Integral Health Plan encompasses the activities of detection, diagnosis, recovery and rehabilitation of health as well as the provision of the necessary services, medicines, and supplies at the different levels of complexity of the system, to solve the health problems of the population at the national, regional and local epidemiological levels. The preventative and diagnostic health mechanisms are merged through the co-ordination functions exercised by the MOH, mainly as provided for in the National Health System Law and concern the following activities:
In general, the Ecuadorian State is making efforts to strengthen preventative healthcare, although no great progress has been made in terms of regulation.
The Constitution and the Organic Health Law include, as basic principles, the promotion, prevention, recovery, rehabilitation and palliative care of individuals.
The Social Security Law also contributes to this by including prevention as an important principle. For example, the laws establish that social protection will be progressively extended to the member’s family and that preference will be given to risk prevention.
Though these provisions have to do with obligations imposed on employers to prevent occupational risks, they have been taken as a parameter for developing a public health policy that contributes to reducing the operation costs of the National Health System, as well as promoting social trends related to physical fitness and well-being.
The COVID-19 pandemic could also be taken as a cause for the increased attention to preventative health because it highlighted the need to optimise the performance of health professionals in such a way that they could deal with diagnosed cases that require direct attention.
Further, the implementation of a preventative health system has been facilitated by the use of technological capacity, telemedicine and a strict immunisation plan.
During the year 2022, and so far in 2023, the regulation in different matters has been updated, generating the need for preventive medicine plans to be carried out in different instances. Thus, this point has been included in the Technical Standard for the Institutional Care of Children and Adolescents, the Organic Law on Youth, and the Standard for the Protection of the Rights of Senior Citizens, among others.
There are very specific rules to protect patient’s information in Ecuador. These rules stem from the Constitution and are also reflected in the Organic Health Law, the Law on Patient Rights and Protection, the Law on the National Public Data Registry System, and even the Law on Statistics, all of which pertain to the confidential nature of citizens’ health data.
The general regulation on the management of healthcare information already had several standards in force, including the following:
However, since 2021, when the Personal Data Protection Law was enacted, specific rules on health data were incorporated, defining them precisely as sensitive because improper use could give rise to discrimination or infringe fundamental rights and freedoms.
In Ecuador, the general rule is that the processing of sensitive personal data is prohibited unless certain circumstances occur, which in the field of the handling of medical devices with AI may include the following:
Thus, the institutions that make up the National Health System, physicians and companies may collect and process data relating to the health of their patients through medical devices that use AI only when the above-mentioned circumstances are met.
Prevention is a principle related to the exercise of the right to health; however, there is no specific legislation that regulate this mechanism for the provision of health services.
In this sense, the Constitution of Ecuador recognises that healthcare is a right guaranteed by the State, whose realisation is linked to the exercise of other rights, including the right to water, food, education, physical culture, work, social security, healthy environments, and other rights that support good living.
In this sense, economic, social, cultural, educational and environmental policies; and permanent, timely and non-exclusionary access to programmes, actions and services for promotion of comprehensive healthcare should be governed by certain principles that include equity, universality, solidarity, interculturality, quality, efficiency, efficacy, precaution and bioethics, with a gender and generational approach.
Notwithstanding the above, the principle of prevention in health matters is reflected in current laws and codes such as the Organic Health Law, the Law on Patient Rights and Protection, the Law on Social Security and the Law on the National Health System.
In the area of preventive medicine, the norms revolve around the obligation of the State to guarantee immunisation against certain diseases, under the terms and conditions required by the national and local epidemiological reality. The Organic Health Law grants the Ministry of Health the competence to establish the norms and the basic national immunisation scheme, and to provide the population with the necessary elements to comply with it, at no cost.
In addition, several regulatory reforms have been created, related to the obligation of the National Health Authority to provide healthcare establishments with the biological products and supplies for the immune-preventable diseases contemplated in the basic national vaccination scheme, in a timely and permanent manner, ensuring their quality and conservation, at no cost to the end user. Likewise, at the private level, regulations have been established regarding the sanitary registration and commercialisation of biological drugs, and the establishment of vaccination centres, etc.
From the research conducted, the Ministry of Health has the medium-term objective of issuing regulations related to preventative healthcare and, mainly through immunisations, to achieve a better quality of life, health and equity in the Ecuadorian population. The National Plan for Good Living, the Model of Comprehensive Community and Intercultural Family Healthcare (MAIS/FCI) and the principles of the Global Vaccine Action Plan were enacted towards this objective.
Companies not connected with the provision of healthcare services are understood to be those that offer new products, equipment or technology.
These companies must take into account that everything related to health and consumption by people requires a licence and certain individual precautions, according to the nature and operation of this new technology.
Thus, for example, in the healthcare field, all products for human use and consumption are subject to sanitary registration; devices, medicines, and equipment with new technology must comply with the Technical Regulations.
The sanctions established in the Organic Health Law may include the possibility of imposing a fine, seizing of the product, suspending operations, and temporary or definitive closure of the establishment that uses or commercialises those products.
Additionally in this area, the Law previously established that before personal data can be transferred it must be anonymised. Since this is something new, companies in Ecuador should start with a process of implementation, guarantees and publication of these conditions.
There have been several initiatives in Ecuador, such as the use of telemedicine and the regulation and issuance of digital prescriptions during the COVID-19 pandemic, that were essential to guarantee the right to health of the population.
Additionally, Ecuador was one of the first countries in Latin America to implement the COVID-19 Auxiliary Diagnostic System, based on the Huawei Cloud in combination with AI, which was applied in the Hospital General del Norte de Guayaquil Los Ceibos and the Hospital General del Sur de Quito. This solution made it possible to diagnose more than 3,000 suspected cases per month using AI software.
This software contains thousands of images from around the world of suspicious lesions in the lungs of patients affected by COVID-19. The images are entered into the system, the results are compared and a more accurate and rapid diagnosis can be effected.
Although there is no specific standard or strategy, the Health Authority has focused its efforts on incorporating new technologies into the provision of health services and, gradually, devices with AI and other developments have become part of daily use, not only during the pandemic bur also in other instances such as diagnostics, treatments and surgical interventions.
The use of artificial intelligence and connected devices for the diagnosis and treatment of diseases is an aspect that has been increasing in comprehensive public healthcare and in private healthcare facilities. In this sense, the Health Authority has strengthened regulations by establishing specific requirements for devices used in healthcare services.
The current regulation contemplates:
In general, health services are provided by health professionals, defined in the Organic Health Law as those whose third or fourth-level university education is specifically and fundamentally aimed at providing professionals with the knowledge, techniques, and practices related to individual and collective health and the control of its conditioning factors.
The health professions include:
In this sense, Ecuadorian regulations oblige doctors, nurses and auxiliary health professionals, etc, to exercise due care in the performance of their services, based on ethical standards.
Precisely on this last point, bioethics is a mechanism to be applied in the face of possible harm caused by the practice of medicine or other health professions.
In Ecuador, as in other countries, the regime that mainly addresses liability for adverse effects in the provision of health services is the criminal one, based on the Comprehensive Organic Criminal Code, particularly Article 146, which incorporates professional malpractice as a crime.
According to the described norm, persons who, by infringing an objective duty of care in the exercise or practice of their profession, cause the death of another, will face imprisonment of one to three years. If the death is caused by unnecessary, dangerous and illegitimate actions, the penalty will be imprisonment of three to five years.
This regime requires that for the determination of the infraction of the objective duty of care the following points must be noted:
In addition to the above, the production of adverse effects in the provision of health services also has a preventative aspect according to the Organic Health Law. In this sense, if the professional presents sufficient evidence of precaution, then criminal liability may not arise.
Article 201 of the Organic Health Law establishes that it is the responsibility of health professionals to provide quality care, with warmth and efficiency, within the scope of their competencies, seeking the greatest benefit for the health of their patients and the population, respecting human rights and bioethical principles.
Likewise, it establishes as an infraction subject to a fine, any individual and non-transferable act, not justified, that generates harm to the patient and is the result of:
The claims received by the Health Authorities, as well as hospitals and other health establishments, are related to surgical interventions, wrong diagnoses, and lack of delivery of medication for treatment in public hospitals; but on a few occasions, criminal actions have been initiated.
As explained in 5.2 Legal Implications, Ecuador has specific rules related to the protection of patients and their personal data.
The Personal Data Protection Law addresses the issue of personal health data, which is classified as sensitive. Sensitive data is that whose exposure could lead to serious consequences of violation of rights and basic freedoms of individuals.
It is for this reason that in Ecuador, this data must be secured against unauthorised access by third parties. The general rule is that its use is prohibited, except for the following exceptions:
The Organic Law for the Protection of Personal Data clarifies the need for the consent of the owner of the data.
The Organic Health Law is a relatively old law dating back to 2006 and, therefore, does not expressly refer to the use of AI in medical devices, telemedicine, or other aspects of telehealth, but regulates them in a general way, addressing obligations to obtain health registration, public permits of those who distribute such products and the competence of the Health Authority to carry out control and surveillance activities.
To regulate the registration and control of medical devices, Resolution ARCSA-DE-026-2016-YMIH of the Health Regulation Agency was issued. This regulation already introduces several concepts that are related to AI, such as software comprising the equipment, components, or software of a digital computer, necessary to enable the performance of a specific task through a medical device. They are always recorded together.
According to the Health Law, compliance with health surveillance and control standards is mandatory for all institutions, agencies, and establishments that carry out activities of production, import, export, storage, in terms of support, distribution, marketing, and sale of products for human use and consumption. Given this, the concept of techno-surveillance arises with regard to medical devices, which also applies to those that are connected to the internet or any other platform.
At the Regulatory level, other regulatory efforts have been made to regulate the use of medical equipment or devices, particularly, Resolution No ARCSA-DE-003-2017-CFMR, which contains the Technical Sanitary Regulations for the Control and Operation of the National Techno-vigilance System (the “Technical Regulations”). The Technical Regulations) defines techno-vigilance as “the set of activities aimed at the identification, collection, evaluation, management and disclosure of adverse events or incidents resulting from the use of medical devices for human use; as well as, the identification of risk factors associated with them, to prevent their occurrence and minimise their risks”.
The notification of events, adverse incidents, or healthcare alerts, is one of the responsibilities of the holders of medical device health registries, which among others includes:
As a consequence of the above, holders of health registrations for medical devices and equipment must comply with a specific process indicated in the regulations in force, in order to correctly and efficiently carry out the notifications, reports and management of information related to adverse events or incidents associated with the medical devices for human use that they manufacture, distribute or commercialise.
The Technical Sanitary Regulations for the Registration and Control of Medical Devices defines a medical device as an instrument, apparatus, implement, machine, application, implant, reagent for in vitro use, software, material or another similar or related article, intended by the manufacturer to be used alone or in combination, for human beings, for one or more of the specific medical purpose(s) of diagnosis, prevention, monitoring, treatment or relief of disease or injury, investigation, replacement, modification or support of anatomy or a physiological process, life support or maintenance, birth control, and disinfection of medical devices.
However, with regard to software, the Technical Regulations require sanitary registration with ARCSA for software for medical devices, defined as the equipment, components or software of a digital computer, necessary for the performance of a specific task, in contrast to the physical components of the system (hardware). Medical device software will be registered under the same sanitary registry as the medical device for which it is intended to be used, as long as it is factory-conditioned with the medical device.
Regarding its classification, software for medical devices will be automatically included in the same risk level as the medical device for which it is intended to be used, and, therefore, in the same Sanitary Registry.
In general, continuous improvements made to the software must be notified to the Health Agency, in accordance with the regulations in force. In the case of a notification, they can be implemented without delay.
At the moment, any software that uses continuous or adaptive learning from AI and machine learning, as opposed to “locked” algorithms and software in software-based or software-enhanced devices, is not subject to any specific regulation.
The challenges faced by companies outside the healthcare industry in offering software as medical-device technologies are the complexity in compiling a technical dossier for sanitary registration and the lengthy registration times for these types of products.
Currently, Ecuador does not have a legal framework that specifically regulates the provision of telemedicine healthcare services.
In this respect, the first requirement established for telemedicine to be provided in Ecuador is that the health professional must have a degree registered with the Ministry of Health, otherwise, he or she is not authorised to offer medical consultations or to prescribe in the jurisdiction of Ecuador.
In the private sector, the Organic Health Law and the Code of Medical Ethics must be applied, according to which telemedicine must be based on the doctor-patient relationship, confidentiality and quality of medical care, with the obligation to:
The responsibility remains the same as in face-to-face consultations. It is important to note that referrals in telemedicine (in which an international consultation may occur), will be taken as a second opinion, and the responsibility for the patient lies with the first attending physician.
The ethical standards on which telemedicine should be based remain relevant to the physician-patient relationship. Although this new mechanism of applying medicine entails new challenges for physicians, it is still based on trust, mutual respect, and the general rules established in the law for the practice of medicine.
In Ecuador, there have been no temporary changes in the regulations related to COVID-19 regarding the provision of healthcare services. Digital medicine, and particularly telemedicine, is not prohibited.
Undoubtedly, the practice of telemedicine should be subject to specific regulations, precisely to standardise and improve these services, including the determination of appropriate platforms for the practice of digital medicine.
There are no specific rules or private guidelines to follow in the field of telemedicine.
However, chapter VIII of the Code of Medical Ethics does describe the general regulation of medical fees, establishing that equity is the first and most universal moral norm for collecting professional fees; they must pay close attention to fairness, local customs, the magnitude of service, to the prestige and necessity of personal intervention, to the economic conditions of the patient and any honest pre-established pact, if there is one.
This code establishes that free care will be detrimental to colleagues and must be limited to cases of close kinship, assistance to colleagues, and manifest poverty. In this respect, in cases in which a patient, without justified reason, refuses to comply with the pecuniary commitments with the physician, the latter, once all private means have been exhausted, may demand payment of fees without affecting, in any way, the good name or credit of the plaintiff.
The incorporation of various technologies into medical devices has grown significantly. These technologies have improved the conventional functions and operation times of medical devices, as well as offering new and innovative functions.
Technological developments in electronics, mechanics and computer systems have made it possible to include wireless technology in medical devices, as well as many different functions linked to the diagnosis, treatment, control and monitoring of patients’ health to be included in medical devices, which has optimised these devices. Some of the new functions made possible by wireless technology are the transfer and processing of data in real time, which allows for faster diagnosis and monitoring, the restriction of access to unauthorised personnel through fingerprint or facial recognition, protection against data manipulation (data integrity), and the administration of drugs according to the data that the device has obtained automatically, or has been assigned to it, etc.
Ecuadorian regulations for medical devices recognise as medical devices both individual software and devices that have coupled software systems.
ARCSA establishes that medical devices must obtain a sanitary registration before being marketed in Ecuador. To obtain a sanitary registration, ARCSA evaluates the quality, safety and efficacy of the finished product for its purpose.
Devices that use software linked to the internet require system updates, and are susceptible to computer viruses (malware), or to suffering cyber-attacks. This can impact the quality, security and efficiency of the device.
Currently, ARCSA regulates the following categories of products for human use and consumption: medicines, natural products, food, cosmetics, household and industrial hygiene products, and medical devices.
The digital assistant Alexa does not fit into any of the aforementioned categories; therefore, Alexa does not need to comply with any regulations.
“Medical devices” for human use are articles, instruments, apparatus, appliances, devices or mechanical inventions, including their components, parts or accessories, manufactured, sold or recommended for use in the diagnosis, curative or palliative treatment, prevention of diseases, disorders or abnormal physical conditions or symptoms, to replace or modify the anatomy or a physiological process or control it. These include amalgams, varnishes, sealants and similar dental products.
A “medical device” is also an instrument, apparatus, implement, machine, appliance, application, implant, in vitro reagent, software, material, or another similar or related item, intended by the manufacturer to be used alone or in combination, for human beings, for one or more of the following specific medical purposes:
In telecommunications, 5G is the acronym used to refer to the fifth generation of mobile telephone technologies.
The use of this technology is provided for in the National Telecommunications and Information Technology Plan, issued through Ministerial Agreement No 7 dated 24 June 2016.
With the use of 5G technology, healthcare delivery systems will be able to enable mobile networks to manage telemedicine better, as well as to assign appointments, manage medical records, etc.
In other words, the implementation of 5G systems can contribute to the ultimate goal of facilitating the reach of telemedicine programmes to a larger number of patients and in various specialisms.
In addition, Ministerial Agreement 015-2019 approved the Ecuador Digital Policy, which aims to transform the country towards an economy based on digital technologies, by reducing the digital divide, developing the information and knowledge society, digital government, efficiency in public administration and digital adoption in social and economic sectors.
The Ecuador Digital Policy is mandatory for the public and private sector, related to the general telecommunications society, information society, information technology, information and communication technologies, postal and civil registry, and information security.
The implementation of this policy will be based on three main lines of action: connectivity, efficiency and security of information, and innovation and competitiveness, with the following health impacts:
One of the key issues when discussing the provision of personal data in clinical or research settings lies in the treatment and use that will be given to that data.
In this respect, the key points will be prior consent, except in cases of urgency, confidentiality and professional secrecy, in the handling of any such data.
In this regard, the recently published Personal Data Protection Law determines that health-related data contained in the institutions that make up the National Health System may be processed by private and public natural and legal persons for scientific research purposes, provided that, as the case may be, they are anonymised, or the processing is authorised by the Personal Data Protection Authority, following a report from the National Health Authority.
The exchange of data, and, in general, its treatment, may be carried out in the following cases:
De-identification is applicable only when the health-related data contained in the institutions that make up the National Health System are processed for scientific research purposes, provided that, as the case may be, they are anonymised, or any such processing is authorised by the Personal Data Protection Authority, following a report from the National Health Authority.
Given the recent enactment of the Personal Data Protection Law, there is still no regulation on medical research when the comparison of anonymised data with other data sources may result in a re-identification, because health data is personalised.
Consent has also been the subject of express regulation, which must comply with the following conditions: it must be freely given, specific, informed and unambiguous.
The application of the conditions for consent, use and processing of personal and sensitive data must be complied with at all times in the field of digital healthcare; there are no exceptions deriving from the use of portable devices.
In the event of non-compliance with the provisions set forth in the Personal Data Protection Law, whether in the healthcare field or any other, the Personal Data Protection Authority will issue corrective measures, with the aim of preventing the infringement from continuing and the conduct from happening again.
Corrective measures may consist of, among others:
Notwithstanding the foregoing, these may also be considered criminal offences.
The use of AI in digital medicine is a particularly useful tool for meeting the demand for services and facing the challenges that this represents in the healthcare system. This is due not only to the use of digital medicine, but also to the complexity of the treatments and the tools or inputs required to execute them.
It could be stated that Ecuadorian health legislation has indirectly regulated medical equipment that uses AI; however, they are placed in a similar condition to any biomedical input or device, which can generate complications at the time of presenting requirements for obtaining sanitary authorisations. There are also directions on their proper use and on carrying out the subsequent controls to which they are normally subject.
When we talk about AI, general legal knowledge is required in the pharmaceutical, sanitary, IP, and compliance fields, taking care that all the control areas are covered to avoid risks and that there are adequate practices in the distribution, use, personal data protection, patient protection, competition, among others.
AI has been used in products in active medical devices, such as a compact battery-operated devices used for endoscopic procedures, an assisted surgery system that can locate anatomical structures in open interventions, and systems used in orthopaedic surgery.
The rules that are mainly applicable to the sale and use of these devices have their starting point in the Organic Health Law, and later regulatory standards such as the Technical Regulations for Registration and Control and the Pharmacovigilance Regulations, Resolutions, and Instructions.
However, one of the most novel issues that differentiates medical devices that use AI from other common medical devices is the need to obtain special authorisations, such as in the field of telecommunications. Requirements include:
Regarding data protection, there is no specific regulation for medical devices with AI, but in 2021 the Organic Law on Personal Data Protection was issued, which introduced to Ecuador the rights related to data protection, including informed consent, rectification, updating, deletion, opposition, cancellation and portability.
Among the regulatory and legal problems faced by companies that develop and sell new digital technologies for healthcare, the following should be noted.
In the health field, all products for human use and consumption are subject to sanitary registration. Products that deal with new technologies, for example, AI or software, are regulated by a Resolution of the Regulatory Agency, about which it is important to take into account that in Ecuador software cannot and does not require a sanitary authorisation to be used.
For the protection of sensitive personal data, companies must ensure that each device, device, and/or piece of software includes an informed, prior, complete and specific consent in which exactly what information can be collected and who will be responsible for its handling is defined.
In this area, additionally, the Ecuadorian law establishes that for the transfer of personal data a previous condition of anonymisation of the information must be fulfilled, so it is necessary, being something new, that the in Ecuador start with a process of implementation, guarantees, training and publication of these conditions, among others.
The regime of corrective and sanctioning measures of the Personal Data Protection Law, which includes fines, came into force on 26 May 2022.
Finally, although it is not mandatory, it is recommended that companies begin to require intellectual property protection of software through copyrights, since the Code of Ingenuity protects them as literary works, regardless of whether they have been incorporated into a computer or whatever the form in which they are expressed.
The Vice Ministry of Telecommunications and Information and Communication Technologies has stated that establishing public policies in the telecommunications and information society sector is a first step toward promoting the development of telecommunications and ICT in Ecuador, in order to generate confidence in the markets at the regional level, as well as to improve competitiveness, ensure growth and extension, through the use of technology and various applications, and to have a population trained in the efficient use of ICT. The next step is the implementation of these policies through the Information and Knowledge Society Plan, which seeks to define a strategic framework to articulate the efforts of the different participants, in order to achieve the proposed objective.
On 7 February 2023, the Organic Law for Digital and Audiovisual Transformation was enacted, which establishes the general guidelines for digital transformation.
The Digital Transformation constitutes the continuous process of multimodal adoption of digital technologies that fundamentally change the way in which government and private sector services are conceived, planned, designed, implemented and operated, in order to improve the efficiency, security, certainty, speed and quality of services, optimising their costs and improving the conditions of transparency of the processes and actions of the State in its interrelation with citizens.
One of the objectives of this Law is to establish the regulatory framework for the promotion of the digital transformation of public institutions, private companies and society; as well as to strengthen the effective and efficient use of platforms, digital technologies, networks and digital services in order to attract investments, boost the digital economy, efficiency and social welfare, developing digital skills and competencies necessary for employment, education, healthcare and productivity.
Once this law has entered into force, it is estimated that in the short term a regulatory framework will be established to promote the digital transformation of public institutions, private companies and society; as well as to strengthen the effective and efficient use of platforms, digital technologies, networks and digital services in order to attract investment; boost the digital economy, efficiency and social welfare; and ensure that the digital skills and competencies necessary for employment, education, healthcare and productivity are developed.
The updating of systems and software of any kind brings with it two problems that have had to be resolved in the legislation. The first is related to the control of updates made to medical device software, since they are not obliged to be subject to prior approval by the Health Authority.
The second problem is the proper handling of the data that is part of the system that is intended to be updated, which may include personal data that identifies or makes identifiable a natural person, directly or indirectly. Sensitive data includes everything related to the physical or mental health of a person, including the provision of healthcare services that reveals information about their state of health.
In the first case, the Health Authority has implemented control and surveillance mechanisms, established in the Organic Health Law, which give the Health Authority the power to carry out an inspection of equipment and its software at any time. The Health Authority may order the suspension of marketing and use of the product and impose sanctions such as fines and retention.
Another of the control mechanisms is techno-surveillance, regulated by the Technical Regulations and used for the identification, collection, evaluation, management and disclosure of adverse events or incidents resulting from the use of medical devices of human use, as well as the identification of the risk factors associated with them, to prevent their use and minimise their risks.
On the other hand, health data management involves the collection and storage, quality control, processing, and compilation and analysis of the data and is regulated by the Personal Data Protection Law.
In this sense, Article 30 of this Law establishes the following relevant points that must be taken into account when updating IT and in the management of health information in general.
The scope of protection of patents is determined through their claims.
The scope of copyright protection is in the creation of the idea or literary work, where the software is included.
The scope of protection of trade secrets is materialised through a contract or agreement that determines that the information is confidential and therefore is contained in trade secrets that no one can share.
In reference to databases, the INGENIOS Code states: “Compilations of data or other materials, in any form, which for reasons of the originality of the selection or arrangement of their contents constitute creations of an intellectual nature, are protected as such. This protection of a database does not extend to the data or information collected, but it will not affect the rights that may subsist on the works or services protected by copyright or related rights that comprise it”.
In this respect, the scope of protection of the database has been established since its creation, provided that it is of an intellectual nature.
Regarding the work’s authorship, Ecuadorian law specifies that only a natural person can be the author; so, when talking about a technological device that does not have direct human contributions, its creations will be owned by the natural person who created the technological device. However, in the event that this creation has been by mandate of a company, it may claim its economic rights, if they are detailed in the contract for the provision of services.
Copyright
Advantages
Copyright allows the protection of audio-visual works, illustrations, graphics, designs, software, among others. Having protection can prevent unauthorised third parties from making use of the creation.
Disadvantages
With the constant advancement of technology and the emergence of new devices for digital medical care, it is possible that the current legislation does not contemplate the new rights.
Industrial Property
Advantages
Through trade mark protection, it is possible for each device or any platform for digital healthcare to have protection. On the other hand, it is possible to protect industrial designs that meet legal requirements through patents. In these cases, it is also possible to prevent third parties from using the owner’s industrial property rights without prior authorisation.
Disadvantages
Industrial property rights, being territorial, allow trade marks or designs to be copied and registered in other countries. The registration of industrial property rights takes an extensive time that does not allow immediate protection of the right.
Being a recent issue in Ecuador, there is no judicial decision or regulatory resolution on the applicability and scope that the rights that protect the devices and structures of digital medical care will have.
In Ecuador, no structure has been specified for licensing contracts used for digital healthcare. However, Article 81 of the INGENIOS Code specifies what technology transfer will consist of as part of a process of social innovation. Similarly, as for the software used, it may be subject to a copyright licence.
The protection of digital healthcare rights can encompass a large part of intellectual property rights. Therefore, a licence will be granted for each of the rights that are intended to be licensed, thus allowing the rights of the owner not to be infringed.
The INGENIOS CODE provides that: “In the case of works created in educational centres, universities, polytechnic schools, technical, technological, pedagogical, arts institutes and intellectuals and public research institutes as a result of their academic or research activity such as degree works, projects of research or innovation, academic articles, or others analogous, without prejudice to the fact that there may be a dependency relationship, the ownership of the economic rights will correspond to those of the authors. However, the establishment will have a free, non-transferable and non-intellectual licence for the non-intellectual use of the work for academic purposes.”
In relation to intellectual property rights when a company is in the private sector, the ownership corresponds to the author of the work, and the private company that collaborates with the investigation will have the quality of co-author of the work, since it would be a work in collaboration, as provided in Article 112 of the Organic Code of the Social Economy of Knowledge, Creativity and Innovation.
In Ecuador, there is the figure of works created under a relationship of dependency or commissioned works, which indicates that, unless otherwise agreed, the ownership of such works will correspond to the author. In this regard, in practice, companies develop specific contractual clauses on the ownership of a work or inventions, so that the company is always the owner of the rights developed by a third party under a dependency relationship.
According to the Code of Medical Ethics, healthcare professionals assume the responsibility of enforcing the Constitutional guarantee of the Right to Health of Ecuadorians.
However, in the exercise of the profession, as well as in the development of digital medicine, healthcare professionals assume a legal responsibility that should be considered with special caution when using AI for diagnostic or treatment purposes, as legal definitions relating to breach of the objective duty of care in the exercise or practice of medical care are in force in the legislation; these legal definitions can even lead to criminal liability.
In this sense, there are no grounds for exemption from liability considering only the use of AI, although it could be determined that the physician’s liability could only be generated if the equipment or device that uses AI was used differently from the manufacturer’s recommendations, either on the label or on the packet insert.
In other words, manufacturers and suppliers of diagnostic and treatment equipment could also have administrative and even criminal liability due to a system failure that causes damage to a patient’s health.
In any case, healthcare professionals must comply with the objective duty of care and maintain prior and informed consent of the patient, which also includes the knowledge, use and eventual transmission of their personal data or sensitive data.
Developers of software or equipment with AI should consider the new regulations in Ecuador regarding the protection of personal data and the Law on Patient Rights and Protection, to take care of any legal liability that may arise from the use of the software.
In the healthcare field, the duty of safety and responsibility has a very extensive content. In a broad sense, it implies the obligation of the external provider of services and goods to allow access to healthcare entities whose quality, safety and efficacy guarantee the health and physical integrity of the consumer/patient.
Thus, the Constitution of the Republic obliges them to guarantee the quality of goods and services offered to consumers and establishes the liability of those who make an attempt against the health and safety of these.
That is why the liability for defective products (issued with “defects” allowing cyber-attacks or others) arises as a result of the duty of safety that consumer-protection rules impose on producers and suppliers in the market.
Av. 6 de Diciembre 2816 y Paul Rivet
Edificio Josueth Gonzalez
Piso 10
Quito
Ecuador
+593 2 223 2720
info@lmzabogados.com www.meythalerzambranoabogados.com