Contributed By QUINZ
Digital healthcare is an umbrella term that stands for the use of information and communication technologies (ICT) – and, in particular, internet technology – to support or improve healthcare in the broadest sense, including e-health platforms, electronic patient files, electronic drug prescriptions, teleconsultations, and medical, fitness and well-being applications (apps).
Digital medicine and digital therapeutics (DTx) are subsets of digital healthcare and hence conceptually fall within its broad scope. The difference between both concepts, however, might be hard to distinguish. Digital medicine refers to the deployment of technologies as tools for diagnosis and intervention to improve human health (eg, clinical decision support software) whereas DTx refers to evidence-based therapeutic interventions driven by software to prevent, manage or treat a medical disorder or disease and to spur changes in patient behaviour (eg, wearables and other wireless devices). They include patient-facing software apps that therapeutically support patients, bear the CE marking (see 6. Software as a Medical Device) and have a proven clinical benefit. Typically, DTx is classified as a subcategory of digital medicine.
Regulatory oversight, including the need for clinical evidence, will be critical in the context of digital medicine and DTx products and services due to their deployment for interventional, diagnostic and therapeutic purposes. In addition, these products will often meet the definition of a medical device, hence requiring compliance with applicable medical device legislation.
Both from a healthcare provider and patient/consumer perspective, it can be assumed that digital healthcare technologies, in general, will be – and already are – more rapidly and widely embedded into society due to their supportive and facilitative character. It is very likely, however, that some of these products will be received more sceptically by patients due to their more “invasive” nature (eg, insideables).
Neither “digital health” nor “digital medicine” or “DTx” is currently defined in the Belgian regulatory framework.
As the main technologies in digital healthcare are likely to be focused on the collection, processing, transmission and presentation of data, technologies such as cloud computing, communication technologies, wireless networks (such as 5G – see 9.1 The Impact of 5G Networks on Digital Healthcare) and big data will remain essential. Nevertheless, the importance of other technologies such as robotics, virtual reality and the internet of medical things (IoMT) cannot be underestimated.
Technologies (that can be) deployed in the context of digital medicine and DTx are equally numerous and include:
Novel health technologies (eg, AI, the IoMT, 5G networks and Bluetooth) are challenging the boundaries of the Belgian regulatory framework, which is often ill adapted to address the legal concerns such technologies entail. Existing laws and regulations scarcely accommodate for the questions raised as a result of a continuously developing digital healthcare industry, including with regard to:
The digitalisation of healthcare also involves a number of actors entering the industry that are unfamiliar with the highly regulated framework in which health products are embedded, which requires additional compliance investments. As a final point, the emergence of AI-driven healthcare technologies might involve ethical considerations regarding privacy, bias and discrimination in healthcare.
The Federal Agency for Medicines and Health Products (FAMHP) is the Belgian national competent authority overseeing the quality, safety and efficacy of medicines and health products, including medical devices, both during the clinical development process and with regard to the authorisation and marketing of drug and health products. To the extent digital health products are considered medical devices, they fall within the scope of the authority of the FAMHP. The actual conformity assessment procedure for granting the CE marking is carried out by the so-called “notified bodies” designated by the FAMHP.
The Federal Public Service for Health is more generally responsible for the organisation of healthcare in Belgium and controls the quality of health services and the practice of healthcare professionals. Hence, the deployment of digital medicine and DTx products and services by healthcare professionals and/or institutions is subject to regulation originating from this governmental agency and healthcare professionals have certain reporting obligations to its organs. In addition, the National Institute for Health and Disability Insurance (NIHDI) establishes reimbursement schemes for healthcare services, medicines and health products and thereby exerts an important influence on (the conditions for reimbursement of) health products and treatments. Lastly, professional associations such as the Order of Physicians and the Order of Pharmacists impose deontological obligations on healthcare professions, while self-regulatory industry organisations such as pharma.be and beMedTech lay down ethical rules for pharmaceutical and medical device companies.
Legislation specific to the area of digital healthcare is still very limited in Belgium. After a long transition period, Regulation (EU) 2017/745 (the Medical Device Regulation, or MDR) is applicable as of 26 May 2021 (although medical device manufacturers may be able to benefit from additional time within which to achieve MDR compliance) and Regulation (EU) 2017/746 (the In Vitro Diagnostic Medical Device Regulation, or IVDR) applies as of 26 May 2022. The Acts of 22 December 2020 and 15 June 2022 have brought the Belgian regulatory framework in line with the new EU legislation.
In January 2021, the NIHDI launched a scheme for the reimbursement of mobile health apps (as further discussed under 4.4 Regulatory Developments).
Additionally, electronic prescribing has been mandatory as of the beginning of 2020. The Healthcare Quality of Practice Act of 22 September 2019 safeguarding privacy, safety and quality of healthcare came into force on 1 July 2022 and impacts the permissibility of providing certain health services via digital means.
Finally, several legislative proposals in light of the European data strategy (which will undoubtedly have a considerable impact on the digital healthcare industry) have also been adopted in recent months, as further discussed under 3.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies. One of the most notable examples thereof would be the forthcoming regulation on “The European Health Data Space”, which aims to create a framework for the sharing of health data across the EU (as discussed under 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information).
Enforcement concerning digital healthcare has been limited in Belgium up until this point. The main areas of enforcement concern data protection infringements, violations of the rules governing the marketing and sale of medical devices and competition considerations.
However, healthcare regulatory authorities have increasingly been on guard since the beginning of the COVID-19 crisis and the medtech industry will likely become an enforcement priority in the next few years due to the application of the MDR and the IVDR.
The increasing digitalisation of the healthcare industry is causing healthcare professionals and businesses to be impacted incrementally by legislators regulating digital markets. For instance, the European Union recently adopted several legislative acts governing digital markets, goods and services (including the Digital Services Act, the Digital Markets Act, the Data Governance Act and the Data Act (see 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information), as well as a European regulatory framework on AI (see 11.2 AI and Machine Learning Data Under Privacy Regulations).
In addition, both the European Commission and the Belgian Competition Authority have focused their enforcement efforts on the digital market in recent years. Moreover, the healthcare industry is continuously looking for guidance from, and engaging with, data protection authorities such as the Belgian Data Protection Authority and the European Data Protection Board to manage the challenges that accompany the introduction of novel technologies in the sector. Several regulatory agencies also take on a different role with regard to new health products. Where the Federal Public Service of Economy was traditionally predominantly involved in the setting of prices of medicines and implantable medical devices, it will now have to take on more responsibility with regard to the advertising of (online) healthcare products and services.
The interests of such non-healthcare agencies are from time to time at odds with those pursued by regulatory healthcare agencies. For example, considering the data protection concerns related to the transfer of personal data to certain third countries (see 10. Data Use and Data Sharing), privacy experts generally recommend that personal data be kept as much as possible within the European Economic Area or any other country that has been recognised by the European Commission as offering sufficient safeguards for data protection. This suggestion does not only collide with the reality of global pharmaceutical or medical device companies, where much of the research and development (R&D) takes place in countries not offering adequate protection of personal data, but also conflicts with the requirements of regulatory agencies governing the authorisation and marketing of health products, which generally demand worldwide clinical and safety data.
The interplay between the responsibilities of non-healthcare and healthcare agencies is now more frequently uncovered and many regulatory agencies have made commitments to collaborate more closely with one another. It will now be important to ensure that these pledges are being put into practice and a harmonised regulatory framework is being established.
Preventative healthcare (also referred to as “primary prevention”) refers to a category of healthcare in which the main objective is to avoid a disease occurring by detecting health problems before any symptoms develop (eg, vaccination).
Diagnostic healthcare (also referred to as “secondary prevention”) involves treating or diagnosing a disease as early as possible by monitoring existing problems, checking new symptoms, and following up on test results to initiate treatment without delay, and, as a result, reducing its mortality or severity (eg, radiology, ultrasound, cancer screening programmes and laboratory testing).
Preventative healthcare and diagnostic healthcare must be distinguished from curative care, which is only initiated when a disease has manifested itself with the onset of symptoms.
The rapid convergence between digital technologies and healthcare has changed how preventative healthcare is delivered at the population level, shifting the focus from curative care to preventative care. New tools such as clinical decision support software, wearables, insideables, and fitness and well-being apps significantly contribute to actively monitoring a patient’s health status and preventing or diagnosing diseases.
It is therefore not surprising that the future of healthcare is expected to be preventative, which is substantially cheaper (ie, diseases are prevented or diagnosed before they become major and expensive treatments are avoided) and is considered fundamental in the context of the future sustainability of the Belgian healthcare system.
Fitness and well-being apps that cannot be classified as a medical device (see 6. Software as a Medical Device) are not (yet) regulated by the legislature. However, this does not necessarily imply that the data collected and processed through such apps is not regulated either. On the contrary, in the event that this data concerns information that is related to an identified or identifiable natural person within the meaning of the General Data Protection Regulation (GDPR), such processing must comply with the provisions of said regulation (see 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information). In addition, the EU funds an initiative (Label2Enable) that seeks to establish a high level of quality and reliability of health and wellness apps based on CEN-ISO/TS 82304-2.
The use of mobile health apps in the healthcare process is becoming more common and plays a substantial role in the context of increased preventative healthcare (see 4.2 Increased Preventative Healthcare). However, their reimbursement has long been a sore point in Belgium, particularly because of the difficulty of evaluating such apps. The Belgian federal government has therefore established a system making reimbursement of these apps possible. Under the new procedure applicable as from 1 October 2023, companies can apply directly to the NIHDI for validation of their mobile medical app. Other stakeholders, such as scientific associations, hospitals or professional associations of healthcare providers, can now also submit such application.
“mHealthBelgium” is a platform managed by industry organisations beMedTech and Agoria, which was created with support from the Belgian government. It centralises all relevant and necessary information regarding mobile health apps for patients and provides a validation pyramid consisting of three levels: M1, M2 and M3 (including M- and M+).
The first level, M1, requires that the app is a medical device bearing the CE mark and that the FAMHP is notified, which will then verify the app’s conformity with the applicable medical device legislation. In addition to the requirements of the first level, apps entering the second level, M2, must meet all ICT requirements as imposed by the eHealth-platform in the context of cybersecurity and data protection and privacy. Since 2024, the second level also requires that an admissible reimbursement request has been submitted to the NIHDI and, hence, that the socioeconomic value of the app is being evaluated. The third level, M3, regulates the funding and reimbursement of the app. In this regard, an app entering M3- is temporarily funded while still collecting data regarding its socioeconomic value. If the app’s socioeconomic value is adequately proven, the app is eligible to enter M3+, which means that the NIHDI will officially reimburse the app. However, the rollout of the reimbursement pyramid has had limited success so far, proving the socioeconomic importance of apps remains difficult. Only one app, the rehabilitation and recover app “moveUP”, has managed to enter level M3-, and no apps have achieved level M3+. The reimbursement agreement for moveUP ended on 30 June 2023, meaning that, at present, no mobile health application is being reimbursed by the NIHDI.
As an alternative funding route, in order to promote sports and a healthy lifestyle, Belgian health insurance funds provide “additional advantages” such as partly reimbursing gym subscriptions or other (app) memberships. In addition, the NIHDI is strengthening the provision of psychological care for the Belgian population by largely reimbursing the costs involved. In this way, psychological care is becoming more accessible and the threshold lower. The Belgian e-Health Action Plan 2022-2024 also sets forth the ambition to integrate mental healthcare more comprehensively into care pathways to advance to a more holistic approach to healthcare.
The challenges non-healthcare companies might face – or that non-healthcare companies should at least consider extensive. Notably, this industry is highly regulated and complicated. Non-healthcare companies will therefore need to adjust their market strategies in accordance with the applicable regulatory frameworks that govern health products and services (eg, in the context of the promotion of medical devices). Moreover, these companies will also have to invest largely in compliance, which will very likely include compliance with data protection laws and regulations, intellectual property laws and regulations, and medical device legislation.
Finally, yet importantly, non-healthcare companies will need to take into account that they will have to accommodate not only the interests of the end users but also those of other stakeholders within the healthcare industry such as doctors, hospitals, health insurance providers and the NIHDI.
The enhanced use of connected devices in healthcare can be explained by the confluence of societal and business challenges requiring increased reliance on tele- and digital health, and the development of advanced technologies enabling the same. The limited number of healthcare staff and constrained healthcare budget in Belgium necessitate a focus on cost-efficiency, which can be best achieved through value-based, personalised and remote healthcare. In addition, there is a clear desire on the part of patients to play a more active role in their treatment, by being able to consult their medical records through remote and mobile channels and by tracking their health data in real time through wearable devices.
IoMT devices (ie, digital healthcare products that connect to IT systems through online computer networks) have the potential to create a continuous stream of health data, making them the ideal solution for patient monitoring, diagnosis, patient support and intelligent decision-making. Cloud computing services can connect different devices, users and systems and are considered a convenient and efficient way to store and manage the massive amounts of data collected and processed. This enables interoperability between platforms, allowing patients and healthcare providers to easily access online health records which compile the patient’s medical information from various sources. Finally, as discussed below (see 11. AI and Machine Learning), AI-driven technologies may provide an array of benefits (and challenges) for healthcare providers and patients.
It is mainly through the integration of these technologies that a connected healthcare system can emerge, which not only optimises collaboration between healthcare providers (thereby reducing costs and increasing efficiency), but also enhances patient experience and control.
While the use of connected devices is rapidly gaining ground in all areas of healthcare, the follow-up of patients with chronic conditions (such as cardiovascular disease or diabetes) in particular has benefitted from the advances in remote monitoring. Women’s healthcare has also been positively affected by the emergence of medical devices tracking, ao, ovulation, pregnancy and nursing. In addition to the vital role they play in remote monitoring and home (after-)care, IoMT devices such as smart beds, automatic nurse call systems and hand-hygiene monitors have the potential to increase efficiency and improve patient safety in hospitals.
As discussed in detail hereunder (see 15. Liability), in Belgium, the traditional regimes consist of contractual and extra-contractual liability. On top of that, Belgium’s medical liability system is twofold, including the medical liability of a physician or a hospital as well as a fund to compensate for severe damage as a consequence of, for instance, medical accidents without liability. In this context, manufacturers, suppliers or sellers of health devices such as wearables, implantables and digestibles might be liable under the product liability framework if the end user (eg, a patient) has suffered damage due to the malfunctioning of such products. Given the upcoming extension of the product liability regime at EU level, the latter may become even more relevant.
The healthcare industry is particularly sensitive to data breaches and incidents (eg, the leaking of personal data) and cybersecurity attacks (eg, hacking). As a result, stakeholders should always carefully assess the possible implications and risks when making use of the IoMT, whether it be in a cloud computing environment or an on-premises and local computing platform. In the event that a digital healthcare company decides to collaborate with a cloud service provider, this service provider will likely process the data on behalf of the digital healthcare company. Within the context of the GDPR, the company might then be considered a controller (ie, which decides on the purposes and the means of the processing of personal data) and the service provider a processor, which, in turn, might outsource several processing activities to its sub-processors.
It is therefore of profound importance to contractually cover any risks relating to data protection and cybersecurity and to allocate the roles and responsibilities clearly and adequately in a data processing agreement. This agreement must include extensive audit rights for the benefit of the digital healthcare company as well as a liability clause that sufficiently protects the digital healthcare company in the event of any claims of patients or a data protection authority as a result of infringements by the cloud service provider. Lastly, the cloud service provider must ensure appropriate organisational and technical measures to secure any personal data and confidential documents stored.
Healthcare institutions making use of the IoMT should establish information security policies that encompass administrative, technical and physical safeguards to protect against the unauthorised or accidental disclosure, use, destruction, loss or alteration of patient information. These may include, for example, automated security testing tools and vulnerability scanners, cybersecurity training, spam blockers, the restriction of administrator privileges to a limited number of users, etc.
On 19 April 2024, the Belgian Act establishing a framework for cybersecurity of network and information systems of general public safety interest, also called the “NIS2 Act”, was approved by the federal parliament. The NIS2 Act transposes the new Network and Information Security Directive or NIS2 (Directive (EU) 2022/2555) into Belgian law. NIS2 provides a better response to the growing threats posed by the digitalisation of healthcare and the surge in cyber-attacks through stronger security requirements, also addressing the security of supply chains, streamlined reporting obligations, more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the European Union. Since many hospitals and other healthcare providers in Belgium did not fall under the scope of application of the first NIS Directive (Directive (EU) 2016/1148) and transposing law, NIS2 will be particularly important for the Belgian healthcare industry as it extends the scope of entities to which the NIS requirements apply. According to the Belgian Centre for Cybersecurity, the total number of companies in Belgium covered by NIS legislation will increase by a factor of 20 to 40 with the introduction of NIS2. The NIS2 Act will enter into force on 18 October 2024.
Recently, the European lawmakers have adopted one of the recent years’ most groundbreaking pieces of legislation regulating artificial intelligence systems (see 11.2 AI and Machine Learning Data Under Privacy Regulations), which will have an important impact in the field of the IoMT, to the extent the latter increasingly relies on AI-driven technologies.
Under the MDR, software is classified as a medical device in its own right (MDSW) if it is intended to be used for a medical purpose as set out in Section 2(1) of the MDR (eg, diagnosis, prevention, monitoring, treatment or alleviation of a disease, injury or disability, or control or support of conception). The medical device framework shall also apply if software is intended to drive or control the use of a medical device or can be considered as an accessory of a medical device. The classification of software as an MDSW has important consequences, as the medical device framework is complex and burdensome, especially for manufacturers that are just entering the digital healthcare market. Software companies may therefore be incentivised to indicate that their product is not intended for medical purposes and should instead be considered a fitness or wellness product, in order to avoid having to comply with this framework.
The MDR introduced a new risk-categorisation system for medical devices that entails that many MDSWs may now fall under Class IIA and higher. This may, for example, be the case when software is used to make therapeutic or diagnostic decisions (eg, clinical decision support software). If an MDSW cannot be classified under Class I, self-assessment will no longer suffice to receive the CE marking and, thus, market access for an MDSW may become increasingly time-consuming. Indeed, medical devices of Class II (A&B) and Class III must undergo a conformity assessment procedure and (for certain Class IIB and Class III devices) a clinical evaluation before receiving the CE marking to be placed on the market. The same requirements apply to (software as) medical devices that use AI or machine learning. Moreover, the new EU regulation on AI (the “Artificial Intelligence Act” – see also 11. AI and Machine Learning) recognises that medical devices powered by certain AI systems may be considered “high-risk” and imposes a check on compliance with the requirements for any such AI system in the conformity assessment of the medical device. As indicated above (see 2.2 Recent Regulatory Developments), to the extent software is considered a medical device, it falls within the scope of authority of the FAMHP, which (as prescribed by the MDR), is responsible for designating and monitoring the notified bodies that carry out the conformity assessment procedure, and for the post-market surveillance of medical devices.
The MDR further requires that any proposed changes in the design, intended use, product-range, type or quality management system of a device are assessed and approved by the relevant notified body. Given that software improvements are made on a continuous basis, this requirement is ill-adapted to the reality of MDSW. The burden of undergoing an assessment procedure each time an update to the software is envisaged may effectively hold back improvements in patient care. The more rigorous requirements of the quality management system under the MDR compared to its predecessor and a focus on post-market surveillance in the MDR and the Artificial Intelligence Act are the first steps towards managing software that is improved or modified throughout its lifetime; however, a comprehensive framework on machine/deep learning medical devices is still absent and the current landscape still revolves around “static” rather than “dynamic” medical devices.
Telehealth holds the promise of increasing the accessibility, efficiency and affordability of healthcare while offering the patient a more personalised and highly specialised approach. Through telehealth services, the patient’s right to choose their physician is no longer determined by location but by best fit. In addition, telemonitoring services through wearables and other remote patient monitoring devices and technologies foster early discovery and intervention and provide physicians with a dynamic overview of a patient’s health status as opposed to a snapshot at the time a patient comes in for consultation.
Tele-expertise is no longer limited to a select group of key opinion leaders consulting on rare diseases but is also readily used by general practitioners seeking advice from specialists.
Virtual hospitals (ie, healthcare facilities that operate completely online) could be a viable alternative to physical hospitals, especially for conditions that do not require urgent medical attention. Through the use of connected devices, audiovisual communication and AI, virtual hospitals would offer a solution to manage increased demand and costs, while also reducing patient exposure to infections.
Where hospitals and physicians go digital, the online (retail) pharmacy follows, providing pharmaceutical advice and products more rapidly and cost effectively. However, telehealth services also give rise to several risks and challenges, more notably regarding the credibility and certification of online healthcare providers; the confidentiality, privacy and security of patient data; the reimbursement of cross-border services; and medical liability.
So far, Belgium does not have an integral telehealth framework. While telemonitoring and tele-expertise between physicians has been common practice for quite some time, the National Council of the Order of Physicians has long been opposed to diagnosing patients at a distance, asserting that considerable risks were involved and that, therefore, physicians could only diagnose patients without a physical consultation in exceptional cases. However, Directive 2011/24/EU on patients’ rights in cross-border healthcare established the “country of origin” principle, meaning that healthcare professionals established in a member state of the European Union can provide healthcare services to patients located in other member states under the same terms and conditions as they are able to provide in their member state of establishment. In other words, Belgium cannot impose its regulatory framework on a healthcare provider that is established in another EU member state and is providing healthcare services to a recipient in Belgium. In addition, Directive 2011/24/EU obliges the NIHDI to reimburse certain cross-border healthcare services. This led to the contradictory situation where a patient could not receive reimbursed telehealth services from a physician located in Belgium, but that patient could receive (reimbursement for) those healthcare services if they were provided by a physician located in another EU member state.
The beginning of the COVID-19 crisis signified the end of an era in which healthcare was centred around in-person consultations and brought the telehealth framework on stream. The emergency measures taken by the legislature provided that telehealth services were allowed and were reimbursable by the NIHDI, if provided within certain conditions. However temporary these measures were, it is already apparent that the sudden widespread use of health services at a distance has induced a shift in mindsets, not only of physicians and patients, but also at the regulatory level. In a communication of June 2022, the National Council of the Order of Physicians has recognised that teleconsultations could be a valuable tool to complement face-to-face patient care, under certain conditions. Notably, precautions must be taken to guarantee the quality and continuity of care, such as updating the patient’s electronic record, and the therapeutic relationship between the patient and the physician (including the consent of the patient) must be adequately established. Further, physicians should only prescribe medicinal products or medical devices via Recip-e, the official system for electronic prescriptions. The National Council has, since its communication in June 2022, advised on a number of topics relating to teleconsultations, including whether a certificate of absence can be provided to a patient by its physician during teleconsultations without face-to-face contact and whether a deposit for booking a doctor’s appointment via a platform can be requested.
Slowly but surely, a liberalisation on the sale of medicines and medical devices is also emerging. As of 2019, patients and healthcare professionals can purchase their medical devices (carrying a CE mark) directly (online) from any distributor or manufacturer instead of in a pharmacy.
Since remote healthcare, logically, relies heavily on the use of online platforms enabling audiovisual communication, the EU Digital Services Act, which applies as from 17 February 2024, has a significant impact as well.
Telehealth services have only been introduced in the nomenclature of the NIHDI in the past few years and, even now, a comprehensive reimbursement scheme is lacking. Certain mobile health applications that (i) are classified as a medical device, (ii) are CE marked, connected or interoperable with the Belgian eHealth-platform, and (iii) have demonstrated sufficient socioeconomic added value are eligible for reimbursement (see 4.4 Regulatory Developments).
As of August 2022, teleconsultations via video or telephone conference are included in the nomenclature of the NIHDI and are consequently being reimbursed. The NIHDI is also testing a number of pilot projects concerning telemedicine and has expressed its commitment to develop a consolidated framework in the near future.
Consumer and connected devices and the IoMT are welcome allies in the fight against a rise in welfare and chronic diseases, the challenges arising from an ageing population and a healthcare budget that is increasingly under pressure from innovative but high-cost therapies. As discussed above (see 5.1 Internet of Medical Things and Connected Device Environment), it is mainly the integration of different technologies such as cloud computing services, AI-driven and machine learning technologies and sensor tag technology in (wearable) devices connected to mobile applications that has enabled the IoMT to flourish. Through wearables, physicians can monitor patients consistently and effectively at home, leaving hospital beds available for patients who need to be admitted for intervention. The older generation is able to live at home for a longer period via the help of digital assistants and medical-alert systems, which reduces the burden on residential care centres and care staff. Lastly, individuals are empowered to take their health into their own hands and, consequently, the overuse of healthcare services is prevented.
Nonetheless, the devices and applications related to the IoMT are not without their controversies. To begin with, mobile health applications and consumer devices are often presented as a wellness or fitness device and manufacturers avoid labelling their products as “intended for medical purposes” in order to evade the stringent regulatory requirements applicable to medical devices (for more information on classification as a medical device, see 6. Software as a Medical Device). Accordingly, medical advice may be disguised as lifestyle recommendations given by unqualified professionals, contrary to the rules on lawful practice of medicine and the regulatory oversight by the FAMHP on medical devices.
Another key problem is the inequality of access to these devices and technologies, as the reimbursement schemes for digital healthcare applications remain fragmented (see also 7.3 Payment and Reimbursement). Furthermore, since the patient data collected by IoMT devices and applications is often transmitted to the manufacturer prior to being provided to the healthcare provider, the medtech industry collaborates with healthcare professionals more closely and comes into contact with patients and patient organisations more often and more closely, which results in concerns regarding the advertising and promotion of health products. Last but not least, cybersecurity and privacy risks (eg, cyberattacks, malware, data breaches, phishing, etc) are also prominently present in this field of digital healthcare, as devices, technologies and applications are interconnected, which increases the “attack surface” of healthcare organisations and complicates the monitoring of security vulnerabilities. This lack of visibility also affects the security of personal (health) data collected in this setting, which is processed outside the strict realms of healthcare provision.
To date, the increased security risks resulting from the integration of different technologies and the connectivity between devices remains insufficiently addressed by applicable cybersecurity and data protection legislation and policies. However, the importance of ensuring device security in a healthcare setting cannot be underestimated, especially since any alterations in the functioning of IoMT devices resulting from cyberattacks could potentially jeopardise a patient’s life. While it is the responsibility of device manufacturers to design security and data protection into their devices, healthcare organisations could also take protective measures; eg, by creating an isolated network for connected devices, investing in the automated monitoring of security vulnerabilities and organising cybersecurity training for their staff.
The low latency, increased speed and bandwidth of 5G networks allows cellular wireless networks to compete fully with wired networks in the provision of digital healthcare. This, in turn, could allow for the provision of telehealth services from, and to, practically everywhere, even in the absence of wired networks. The possibilities for remote healthcare that 5G brings to the table are crucial for medical treatment in disaster areas, as wired infrastructure might be impacted or destroyed as a result of a disaster, or these areas might be hard to reach. The same applies for first responders, who, through 5G technology, will be able to provide remote first aid or benefit from the qualities and experience of specialists and colleagues without a need for their physical presence.
Moreover, the aforementioned qualities of 5G networks coupled with its increased connection density will allow for a more complete and effective integration of technologies such as the IoMT in digital healthcare. For example, one might think of the use of sensors and wearables, allowing the monitoring of vital functions not only during a telehealth consultation but consistently over a longer period, providing healthcare practitioners with useful insights on the overall health, stability or pathology of a patient. The use of IoMT technologies (enabled by 5G networks) will allow this data to be transmitted automatically to healthcare practitioners and allows the various wearables or sensors to communicate and interact with each other.
Overall, it can be expected that 5G will enable the provision of remote healthcare services in a more effective, reliable and comprehensive manner, with the possibility of remote operations due to low latency of 5G networks as a pinnacle.
Nonetheless, the highly sensitive and private nature of data created, processed and transferred in the context of digital healthcare is diametrically opposed to the public character of (5G) wireless communication networks. Hence, when entering into arrangements with telecoms providers that deploy and manage a 5G network, sufficient attention to provisions regarding responsibility for network security and data protection and privacy will be paramount. Furthermore, when relying on (wireless) technologies for the provision of critical services such as healthcare services, contractual provisions regarding the assurance of connection stability and liability for failure or interruption of services will also be crucial.
In the Belgian context, it needs to be noted that the telecom sector is currently an enforcement priority of the Belgian Competition Authority, which became evident when the Authority announced that it launched an investigation into anti-competitive practices in the roll-out of fibre-optic networks. The outcome of such investigation may further impact the roll-out of such networks and consequently, the 5G connection that may depend upon them.
Patients have the right to privacy and a carefully kept and stored (electronic) patient record in relation to their healthcare professional (Articles 9 and 10 of the Act of 22 August 2002 on Patients’ Rights and Articles 33–40 of the Health Care Quality of Practice Act of 22 September 2019). However, the time when medical confidentiality by healthcare professionals was sufficient to safeguard patients’ health information is long gone. Patient information is currently stored in an electronic health record on the eHealth-platform (the online portal of the Belgian federal government for storing and sharing health data) and can, to the extent relevant for treatment, be accessed by a patient’s healthcare providers. In November 2023, an amendment to Article 5, 4°, b) of the Law Establishing and Organizing the eHealth Platform has been adopted by the Belgian legislator. This provision eliminates the requirement for prior patient consent to upload medical records to the platform. Instead, it offers patients an opt-out option.
In Flanders, Vitalink is the digital platform that enables healthcare providers to share data of their patients, taken from their electronic health record, in a simple and secure way.
In addition, in a digitalised healthcare industry, several other participants will need to process a patient’s personal data. A prominent focus of the Belgian eHealth Action Plan 2022-2024 is the development of a Belgian Integrated Health Record (BIHR). This advanced model of data exchange, facilitated through a central digital platform, aims to enhance collaboration among all health stakeholders, ensuring a seamless continuum of care for patients. Among its objectives is the transformation of "real-world data" from the BIHR into "routinely collected data," thereby improving documentation, accessibility, quality, and reusability of the information.
In this context, stakeholders should bear in mind that personal information regarding health and genetic and biometric data (for the purpose of identification) is considered sensitive personal data under Article 9 of the GDPR. Processing of such personal data is principally prohibited, unless a justification applies. Personal data relating to health can therefore only be processed in exceptional cases.
Besides the GDPR, recent initiatives have been taken to empower the patient in taking a more active role in the management of their health and accompanying health data. For example, the recent updates to the Patients’ Rights Act of 22 August 2002 require healthcare providers to make patient data available through government-validated online platforms and allow the patient to record some of its choices (eg, with respect to its care plan) and communicate with its healthcare provider online. Further, the patient’s right to receive information about its health status is reinforced.
Data Processing in Partnerships and Secondary Use
Other uncertainties relate to the data processing roles and responsibilities in multi-stakeholder innovative partnerships such as consortium agreements, but even in multi-study-site clinical research projects, it remains dubious which processing role each party takes on. This leads to ambiguity for data subjects and can cause considerable delays in negotiations in partnership agreements.
Another point of interest is the possibility to use existing research data for secondary use. The objective of the new Data Governance Act is to govern the reuse of publicly held, protected data, both personal and non-personal. This is accomplished by regulating new data intermediaries and fostering data sharing for altruistic purposes. Of course, if it concerns personal data, the GDPR also applies. The GDPR and the European Commission guidelines provide some flexibility to ask for consent for a broader field of research instead of for one research project; however, it remains to be seen how any such margin should be interpreted in practice (see Recital 33 of the GDPR). One of the key objectives of the European Health Data Space is to make health data (such as data resulting from research and development activities undertaken by pharmaceutical companies) available for re-use for research, innovation and public health purposes.
In relation thereto, Belgium has recently established a Belgian Health Data Authority tasked with overseeing the secondary use of health data and, more broadly, facilitating the exchange of health data for research purposes.
On 24 April 2024, the European Parliament approved the draft regulation creating a European Health Data Space, boosting the availability of qualitative health data and facilitating the sharing of personal data of patients for research, innovation and improvement of public health without losing sight of data protection and privacy. The regulation still needs to be formally approved by the Council of the EU before becoming law. The regulation will undoubtedly be a major step forward for digital healthcare in the EU, making especially the future of machine learning and AI in research and innovation look quite promising.
In the current healthcare ecosystem, it may be more appropriate to make use of the term “augmented intelligence” rather than “artificial intelligence”; that is to say, human capabilities can only be augmented but not replaced by intelligent devices. AI systems work well in verifying outcomes, correcting human errors and processing large amounts of information efficiently, but are presently not intended to function without human instruction, oversight and intervention in an industry as sensitive as the healthcare industry.
AI-driven technologies could offer an automated analysis of the collected data, recognising or predicting diseases to significantly increase the quality and speed of diagnosis.
For machine/deep learning and AI to work to the best of their abilities, large amounts of highly qualitative training data sets are needed. This requirement seems often to be at odds with a few of the basic principles of the GDPR, such as purpose – and use – limitation and data minimisation. It may therefore be challenging to secure sufficiently comprehensive rights on data in order to be able to use and share such data with relevant partners. Transparency and patient empowerment are useful tools that may help this purpose; ie, if extensive information about the processing of personal data is given by the healthcare provider to the patient, a patient is more willing to give its free informed consent (although the adequacy of consent as a legal basis must not be overestimated).
Lastly, due to the emergence of virtual assistants (such as Alexa), natural language processing (NLP) (ie, the ability of a computer program to understand human language as it is spoken and written) is slowly but steadily becoming integrated into the healthcare industry. However, NLP has led in the past to significant concerns from a data protection and privacy perspective due to the difficulty to confirm and verify the results of the data processed by AI systems, which are often characterised by bias. As a result, AI is usually difficult to deploy in a transparent manner and thus it is paramount to always carefully assess its intended use (eg, data processing impact assessment) in order to apply appropriate additional measures.
In April 2021, the European Commission unveiled its AI package proposing new rules and actions to turn Europe into the global hub for trustworthy AI. On 21 May 2024, the Council of the EU formally approved the EU Artificial Intelligence Act (already approved by the European Parliament in March), which sets out the regulatory framework applicable to all AI systems and models placed on the EU market, with specific requirements depending on the intended use case of the system or model. AI systems and models, including their output, developed and put into service for the sole purpose of scientific research and development do not fall within the scope of the Artificial Intelligence Act.
Although the Artificial Intelligence Act aims at protecting fundamental rights when AI is deployed, it does not cover any risks relating to black box AI, nor are there any guidelines in place that apply to this concern.
Due to the lack of transparency, black box AI poses a significant challenge in the context of the processing of personal data; namely, data subjects (eg, patients) have the right not to be subject to a decision based solely on automatic processing (Article 22, GDPR). A data subject may therefore request that a decision made about them by automated means shall be reviewed by a natural person (eg, a doctor). It may be difficult for the natural person to assess whether the decision made by an AI system was correct if that person is not aware of how the AI system decided on a certain outcome.
Companies that are entering the digital healthcare market by developing and selling new digital healthcare technologies should be aware of the challenges that the convergence of two industries entails. Traditional healthcare or pharmaceutical companies may be confronted with pertinent challenges relating to cybersecurity and data protection when entering digital markets (eg, ransomware, phishing and denial-of-service attacks). On the other hand, companies that are ordinarily involved in the offering of digital services and products to customers may be surprised to learn about the highly regulated context of the healthcare industry and the additional compliance requirements associated with entering that market.
Healthcare institutions or other customers of such new technologies have every interest in appropriately allocating the roles and responsibilities when negotiating agreements (eg, master services agreements, software as a service (SaaS) agreements and data processing agreements) and in adequately addressing any inherent risks.
In order for digital healthcare to be fully embraced by healthcare organisations and healthcare professionals, considerable changes to the infrastructure and organisation of hospitals and practitioners will be required. For instance, several cyber-attacks on Belgian hospitals and testing centres during the COVID-19 crisis have proven that healthcare institutions are a frequent target for cybercriminals and are often ill prepared for such a challenge.
At the level of the individual practitioner, several barriers prevent the adoption of healthcare technologies. A study by the Belgian Health Care Knowledge Centre concluded that general practitioners struggle with security concerns and an overload of information on e-health platforms. They also have to invest substantial amounts of their own time in getting to know new IT systems and they are reluctant to depend on external services for the operability and functioning of their general practice.
Besides investment in better infrastructure, due care should be given to a radically different manner of educating healthcare providers. In order for AI, mobile health technologies and wearables to find their way to individual practitioners, these caregivers should be incentivised and educated thoroughly and continuously. The Health Care Quality of Practice Act of 22 September 2019 imposes an obligation of continuous learning on healthcare professionals; however, multiple implementing acts are still required and qualitative digital healthcare learning opportunities need to be offered to practitioners.
As a final point, while improving the infrastructure at the level of healthcare organisations and professionals is critical for advancing digital healthcare, careful consideration should also be given to equal access and non-discrimination of patients. The uptake of the IoMT and general connectivity of patients must therefore also be reviewed on a population level.
Data management is of the utmost importance for companies active in the healthcare industry. For instance, adequately managing clinical trial data is fundamental with regard to the set-up, conduct and successful outcome of clinical trials. In this context, the Clinical Trial Regulation (Regulation (EU) No 536/2014) regulates clinical data management, which should result in the generation of high-quality and statistically reliable data from clinical trials. The central database “Clinical Trials Information
System” supports the entry, verification and quality control of data collected during clinical trials.
As discussed (see 13.1 IT Upgrades for Digital Healthcare), the healthcare industry is a frequent target for cyber-attacks, and is generally ill prepared for such hazards, requiring swift and appropriate measures. In this context, there are several national and European initiatives, laws and regulations that aim at fostering and upgrading companies’ IT infrastructure and ensuring the continuity of care, including the Early Warning System of the Belgian Centre for Cybersecurity, the (Belgian implementation of the) NIS2 Directive or the Health Care Quality of Practice Act of 22 September 2019.
As mentioned before, the European legislator has made it a priority to improve the access to and encourage the sharing of both personal and non-personal data in the EU market, including by means of the Data Act and the Data Governance Act.
There are no frameworks in place that particularly apply to the protection of intellectual property in the field of digital healthcare. Therefore, one has to revert to existing and traditional regimes regarding intellectual property protection. Slowly but steadily, those regimes are being updated to keep pace with rapid technological developments.
Inventions are patentable if they fulfil the criteria of novelty and inventiveness and if they are capable of industrial application. Computer programs are in principle exempt from patent protection as such; however, software may be protected if incorporated in a product of a technical nature. Problems arise in relation to the inventor of AI inventions. Under the current guidelines for applications to the European Patent Office, the inventor needs to be a human being. This is problematic when inventions are made by AI without human intervention. In addition, one might wonder whether patents for inventions made by AI need to be vested in the researcher who discovers the invention when using the AI technology, the owner of the AI technology or the developer of that technology.
Furthermore, the author of a literary or artistic work that is original and expressed in a specific form is granted copyright protection. To the extent software and databases meet the requirements of expression and originality, they can also be protected by copyright. Copyright only protects the structure of a database and not its content. In addition, the content of a database can be protected by the Sui Generis Database Right if the acquisition, control or presentation of that content qualitatively or quantitatively represents a substantial investment on the creator’s or developer’s part (Article XI.306 of the Code of Economic Law). The European Union Directive 2019/790 on Copyright and Related Rights in the Digital Single Market (the Copyright Directive), which has been transposed into Belgian law by the Act of 19 June 2022, attempts to make the copyright legal framework more adapted to the reality of the digital environment in which works are now created, distributed and exploited.
Trade secret protection in Belgium is detailed in Title 8/1 of Book XI of the Code of Economic Law and based on Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. Information constitutes a trade secret if:
The illegitimate disclosure or acquisition of such information can be contested in court and sanctioned.
There are many advantages and disadvantages in the context of intellectual property protection. A pertinent example relates to the fact that such protection might simultaneously foster and hinder innovation.
On the one hand, intellectual property protection plays a crucial role in fostering innovation, particularly in the context of R&D. Digital healthcare companies invest heavily in the development of a product, which usually requires a lot of time, energy and money. Successful products might be highly lucrative, which, in turn, might result in the digital healthcare company having a commercial advantage when compared to its competitors. Therefore, once granted, intellectual property protection provides the necessary tools to safeguard the hard work and prevent competitors from infringing the product. In this context, intellectual property incentivises innovation.
On the other hand, intellectual property protection might hinder innovation, especially when digital healthcare companies seek to obtain intellectual protection solely for anti-competitive purposes and hence use this protection to prevent competitors from entering the market. For instance, the digital healthcare company might use patents as a strategic deterrent by building up so-called patent thickets, making follow-on innovation by other firms entering the market a more challenging, costly or even impossible process.
The latest regulatory developments at EU level endeavour to address this tension by striking a balance between the advantages of intellectual property protection on the one hand and the need to make data more accessible to stimulate data-driven innovation on the other.
In this context, a noteworthy example of the merits of the Copyright Directive would be the introduction of exceptions to copyright for text and data mining (ie, the automated analysis of large bodies of data in order to generate knowledge on patterns, trends and correlations), which will be particularly useful for the training of data-driven AI systems. Indeed, having to obtain the prior authorisation of the owner of a database before being able to extract data from it would be excessively time consuming in the context of the development of an AI system.
Additionally, the new Data Act will likely have an impact on different forms of intellectual property protection. Article 43 provides, for example, that the Sui Generis Database Right (discussed above) does not apply to databases containing data obtained from or generated using an IoT product or related service. The absence of intellectual property protection for the content of such databases will significantly facilitate the use and sharing of (health) data resulting from IoMT devices. The Data Act further provides exceptions to the rule that trade secrets should only be disclosed with permission of the holder. As part of the data sharing obligations it introduces, the trade secret holder may be required to disclose its trade secrets to the user of a connected device or even a third party, subject to the user of a connected device or third party taking adequate technical and organisational measures to preserve the confidentiality of the trade secret. However, the regulation also shows respect for intellectual property rights by expressly requiring that any such disclosures are backed by confidentiality obligations and clarifying that the obligation of the holder to make data available to a data recipient does not automatically oblige the disclosure of trade secrets, unless otherwise required by EU or national law.
Finally, the draft regulation on the European Health Data Space also includes data sharing obligations in relation to anonymised or pseudonymised patient health data, which may be in tension with intellectual property and trade secret protection if it requires companies to share commercially sensitive data with competitors.
The contractual licensing structures in the digital healthcare industry vary depending on the type of product. For example, to download medical, fitness and well-being apps, digital health providers will usually offer an end-user licence agreement in order for the end user (B2C) to be able to use the app and its underlying software. As far as it concerns the licensing of cloud services, generally, the SaaS licence is used, where the cloud service provider hosts the app and related data, and makes it available to end users (B2B and B2C) over the internet.
Education is a competence of the Communities in Belgium. The Codex Higher Education of the Flemish Community provides that the intellectual property rights to inventions created by salaried researchers in the course of their research duties for the university or the university of applied sciences are vested in that university (of applied sciences). The university has the sole right to exploit any such inventions. Belgian universities have a long tradition of creating and supporting spin-off companies and the Flemish Catholic University of Leuven (KU Leuven) has been named the most innovative university in Europe several years in a row for its large amount of (successful) patents filed in the field of pharmaceuticals and biotech, agriculture and food, chemicals and medical devices.
Belgian universities often collaborate with industry partners and participate in European consortium projects by conducting R&D or seconding one of their researchers to a project. The ownership and exploitation of intellectual property rights differ from project to project; however, Belgian academic institutions often endeavour to secure the ownership rights to their R&D results and grant the exploitation rights to the industry.
The pandemic has evidenced that better public health is driven by improved collaborative working, including through public-private partnerships. In order to foster the innovation that such partnerships can yield, trust between the different participants needs to be built, including while drafting and negotiating R&D agreements. In this regard, the allocation of ownership and exploitation rights for digital health inventions must be determined from the outset.
As previously stated, default statutory rules vest intellectual property rights of new ideas, works or inventions with the inventor or author of such work. Therefore, pharmaceutical and medtech companies that outsource part of their R&D need to consider which rights they need to secure in relation to the results of the R&D, including if, and to what extent, they have sufficient freedom to operate to exploit the outcomes of their research investment commercially.
New technologies increase the number of participants involved in healthcare and make it increasingly complicated for a patient to seek redress for damage caused in the provision of healthcare. The liability of a physician or hospital can be invoked contractually and extra-contractually, depending on the act from which the damage arises. Furthermore, patients can seek compensation from the Fund for Medical Accidents in the case of severe damage caused by:
This Fund for Medical Accidents is financed exclusively by the Belgian state and is a service of the NIHDI.
Furthermore, product liability for medical devices is based on the strict liability regime of Directive 85/374/EEC. In this regard, a medical device is defective when it does not provide the safety that a person is entitled to expect, taking into account all circumstances, including:
Any person in the production chain, the EU importer and the supplier might be held liable.
In light of new technologies, these classic liability regimes may need to be revisited. A first step has already been taken by the EU Digital Services Act, which (slightly) updates the rules on liability of providers of online intermediary services, including cloud services providers, in relation to illegal content provided by the recipient of the service and published on the online platform. While the liability of the provider for copyright breaches and other infringements committed by customers through their services remains limited in principle, the EU Digital Services Act introduces more extensive transparency and due diligence obligations, which may result in an increased risk of liability for the provider. This may have implications for hosting service providers involved with health data and/or intermediaries connecting patients with HCPs.
AI-driven software sometimes lacks transparency in its decision-making and demonstrates considerable autonomous behaviour. This leads one to question whether a physician is at fault (and liable) if that physician does not follow a diagnosis made by an AI technology or, conversely, whether that physician fails to perform the required due diligence by making treatment decisions based on a diagnosis made by an AI technology without knowing exactly how the software reaches a conclusion. With respect hereto, the proposal for an Artificial Intelligence Liability Directive, complementing the AI Act, suggests the implementation of both a strict (product) liability and a fault-based liability regime for AI technologies, depending on the risk involved in that AI system.
Similarly, the existing product liability regime may not always offer relief with regard to defects in digital health technologies, as many of these applications contain one or several service elements, which may make it more difficult to classify the technology as a defective product.
In this context, the EU is currently overhauling its product liability laws in an attempt to better address the risks resulting from the new technological developments. The new Product Liability Directive was adopted by the European Parliament on 12 March 2024 and is awaiting formal approval from the Council of the EU. The most important changes include the expansion of the definitions of “product” to include software and “defect” to include cybersecurity and connectivity issues; the expansion of the scope of the damages that can be claimed to include medically recognised damage to psychological health and data loss or corruption; the removal of the EUR500 threshold for claims and the reduction of the burden of proof on the injured person (ao through the introduction of a presumption of the product’s defectiveness in certain situations, such as for scientific or technically complex cases). It is clear that these updates will have a significant impact on life sciences companies, especially those developing IoMT devices and other digital healthcare solutions.
As stated above, multi-participant involvement in the manufacture of digital healthcare technologies and the provision of healthcare services has gradually more complex to allocate responsibility. Under the defective product regime, any participant in the supply chain may be held liable, including the EU importer and the supplier.
As with data protection, any controller is accountable for any damage that arises from a processing activity that breaches the GDPR, in contrast with processors, which are only responsible for damage that is the result of that processor acting outside the lawful instructions of the controller. Data processing agreements thus often include rigid liability and indemnification obligations to ensure a controller can recover the damage that is caused by its service provider from that processor.