Contributed By Arthur Cox
Perspectives on digital healthcare, digital medicine and digital therapeutics will vary depending on the party in question.
Healthcare Provider
Healthcare providers, whose expertise lie in patient wellbeing and treatment, are often challenged by resource constraints and administrative burdens.
Telemedicine may be viewed as a method of alleviating some of the significant pressures which have been placed upon the health service in recent years, in particular by the COVID-19 Pandemic. Telemedicine is defined broadly as “the delivery of healthcare services through information and communication technologies”. Telemedicine entails services such as opinions, consultations and diagnosis being delivered by registered healthcare practitioners to patients using online platforms or health apps. During this juncture, telehealth facilitated access to health services and telemedicine can provide support to healthcare providers and therefore enhance patient care.
Patient Consumer
From a patient perspective, limiting travel time and as a result, the time spent away from their work, school and families, have all been identified as key factors encouraging the growth of digital healthcare in Ireland. Digital healthcare devices, such as wearables, health apps and online portals can increase personalisation and convenience of treatment plans for patients (HSE Telehealth Roadmap 2024 – 2027, retrieved from here).
Regulatory Perspective
From a regulatory perspective, capturing personal health information through technology platforms changes the way in which sensitive data is being utilised and stored. Regulators must balance the convenience of telehealth with the need to ensure patient safety, data privacy and adherence to standards. The HSE recognises that a coherent and strategic plan for the development of telehealth in Ireland is required to ensure that it is safe, effective, efficient and scalable.
Technology Perspective
For many years, software vendors have provided digital solutions for GP and pharmacy practices in Ireland. These systems operate independently of each other. Emergency legislative changes in March 2020 allowed for the transfer details of a prescription between GP and pharmacies via secure email.
Technology platforms and clinical evidence (like surgery outcomes) work together: the data collected from one informs the other and vice versa.
There is no definition of digital health in Irish legislation. Generally, digital health is understood to encompass standalone software, health technologies and apps used in the healthcare sector or in conjunction with other products.
The HSE uses the World Health Organisation (WHO) definition of digital health as the use of digital, mobile and wireless technologies to support the achievement of health objectives. Digital health includes the general use of information and communication technologies for health as well as advanced technologies for managing data and information such as artificial intelligence and genomics (WHO guideline: recommendations on digital interventions for health system strengthening, Geneva. Retrieved from here).
There is no definition of “digital medicine” in Irish legislation. Digital medicine is generally understood as an effort to use digital technologies to improve the performance of surgery and assist in better performance for better delivery of medicine (Retrieved from Health in the future).
The Health Products Regulatory Authority (HPRA) is the regulator of health products in Ireland and therefore its regulatory remit extends to providers of health products in Ireland, which may include telehealth and digital medicine providers.
As Ireland is a hub for technological enterprise, including digital health (the Irish Medtech Association had over 250 members as of 2023), it is important that this environment is underpinned by appropriate regulation.
Digital health and digital medicine are largely caught by existing legislative frameworks (eg, product liability, data protection). Furthermore, there are regulatory inconsistencies across European Union (EU) Member States. Most Member States developing frameworks for digital health have done so individually and even the definitions of terms such as digital health and digital medicine are not consistent across different Member States (Digital health on prescription - is Ireland ready? Retrieved from here).
The In Vitro Diagnostic Medical Devices Regulation (EU)2017/746 (IVDR) and the Medical Device Regulation (EU) 2017/745 (nationally implemented by S.I. No 256/2022 and S/I/ No 257/2022) (the MDR) have led to significant changes to the digital health and digital medicine landscape. The MDR has helped to fill regulatory gaps by implementing stricter clinical evaluation and evidentiary requirements for products on the market. Under the MDR Medical devices are products or equipment intended for specific medical purposes including diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease.
In recent years, the technologies enabling new capabilities in digital health and digital medicine have greatly expanded and evolved.
Digital Health
In digital health some key technologies include:
Digital Medicine
In digital medicine, key technologies include:
In the fast-growing sector of digital health key emerging legal issues include the following:
The Product Liability Directive 85/374/EEC (PLD) deals with no-fault liability for defective products and the resulting compensation. In 2022, the European Commission published a proposal to incorporate digital technologies into the Directive. The European Parliament adopted the PLD in March 2024. The updated PLD is intended to complement the MDR, the IVDR and the AI Act.
While there is no authority primarily responsible for regulating digital health and digital medicine in Ireland, there are a number of statutory bodies which are responsible for regulating different areas of the healthcare sector and may therefore have regulatory oversight on the provision of telemedicine services:
The Health Information and Quality Authority (HIQA)
HIQA is an independent statutory authority responsible for regulating and accrediting public hospitals and implementing quality assurance programmes. HIQA inspects the clinical and cost effectiveness of health technologies. Registered healthcare providers must notify HIQA about any incidents, events or changes within the institution. HIQA has also published several self-assessment tools, such as a self-assessment tool for national data collections. HIQA also carries out Health Technology Assessments, looking at clinical and cost effectiveness, as well as legal and ethical issues.
The Health Products Regulatory Authority (HPRA)
The HPRA is the Competent Authority for the regulation of health products, including medicines, medical devices, and cosmetics. Key enforcement areas for the HPRA include product safety and liability. Any medical products that are to be placed on the Irish market need to have a marketing authorisation from the HPRA. Furthermore, the HPRA has the power to demand information from healthcare institutions, as well as carry out investigations or inspections, revoking licenses and ordering recalls of medical products.
Other relevant organisations include:
EHealth Ireland has recently published the HSE Telehealth Roadmap 2024-2027 (the “Roadmap”) (HSE Telehealth Roadmap 2024 – 2027 retrieved from here) to improve population health outcomes through facilitating increased accessibility to and quality of digital health supports and services. The Roadmap identified the following three methods through which telehealth delivers virtual care to patients in Ireland:
The introduction of electronic prescriptions (“ePrescribing”) in Ireland also represents a significant development in the provision on telemedicine services in this jurisdiction. A change in legislation in 2020 in response to COVID-19 allowed the secure email of prescriptions.
Furthermore, the HSE’s National Service Plan 2022 (the “Plan”) (National Service Plan 2022. Retrieved from: https://www.hse.ie/eng/services/publications/serviceplans/hse-national-service-plan-2022.pdf) highlighted its intention to leverage the acceleration technologies such as telehealth by the Covid-19 pandemic in order develop new models of care which focus on the individual. The Plan identified maximising the potential use of telehealth as a crucial area of action to enhance services.
Medical Practitioners
Privacy and Security
Patient Safety
The Competition and Consumer Protection Commission (CCPC) and the Data Protection Commission (DPC) are both non-healthcare regulatory agencies involved in digital healthcare.
The CCPC
The CCPC enforces all aspects of competition and consumer protection law in Ireland, including their application to healthcare. The CCPC is also responsible for Articles 30-32 of the Digital Services Act which apply to online market places. The CCPC in its ‘Strategy 2024-2026’ (CCPC Strategy 2024. Retrieved from here) notes that as the regulation of digital and data space evolves so too will the CCPC portfolio and capacities.
The CCPC has received additional responsibilities and powers in recent years with respect to digital and data markets and it lists the importance on being clear on where it can “make the biggest impact” with respect to digital markets and data as being one of its overarching concerns.
The CCPC ensures that any marketing statement relating to healthcare is accurate and validly proven. This aligns with the HSE’s Guiding Principles for Telehealth (as per the Roadmap) which prioritise “high quality care… regardless of the medium”.
Wellness, Fitness and Self Care
While less regulated, these areas are gaining attention. The World Health Organisation proposes that self-care interventions can:
The Impact of New Technologies
New technologies drive cooperation among regulatory bodies as they facilitate data sharing and communication.
Preventative healthcare is generally understood to be the application or taking of measures to prevent disease and disability. Diagnostic care on the other hand involves treating or diagnosing a health issue which the client is already experiencing.
Depending on the healthcare service provided, method of service delivery and/or equipment used, different legislation and standards will govern a particular scenario and different regulators will have jurisdiction. For example, in the delivery of online health services, various regulatory regimes may apply, including but not limited to healthcare professional registration requirements, medical device regulation, prescription regulation and data protection. There is no singular specific regulatory regime that would apply to either preventative or diagnostic healthcare but instead, regulation will depend on the factual circumstances.
A number of factors have contributed to the increased use of preventative healthcare measures in Ireland. The HSE states that preventative healthcare will be necessary to sustain health services due to current demographic trends and the resulting projections (Department of Health Statement of Strategy 2023-2025. Retrieved from here).
The COVID-19 Pandemic has also influenced the adoption of preventative healthcare in Ireland. The Pandemic influenced an increase in preventative healthcare spending in Ireland with the Central Statistics Office (“CSO”) reporting in 2023 that in 2021 “spending on preventive care showed continued growth with an annual increase of 66%. This large rise can be attributed to the €686 million spent on COVID-19 testing and tracing along with EUR508 million spent on COVID-19 vaccinations. Preliminary results for 2022 show a EUR2 billion growth in spending or 7% more than in 2021” (Central Statistics Office: System of Health Accounts 2021. Retrieved from here).
Cost saving is also a motivating factor for investment in preventative healthcare. The HSE in its 2024 Service plan notes that while preventative healthcare represents only 1% of its expenditure any investment in the area results in “two to four times” the economic benefit (HSE - Our National Service Plan 2024. Retrieved from here).
The World Health Organisation, in the “Regional digital health action plan for the WHO European Region 2023-2030” (WHO Regional digital health action plan for the WHO European Region 2023-2030. Retrieved from here), states that “by urging Member States to promote the digitalisation of their health system… transforming health systems and strengthening prevention and well-being” can be achieved. In order to improve disease prevention, the WHO suggests strengthening digital literacy skills (with an emphasis on healthcare workforce).
Wellness and fitness data collected by wearables are not subject to the Medical Device Regulation, as these health apps and devices are not medical devices for the purposes of the Regulation, and thus are not directly regulated. However, any personal user data collected will fall under the GDPR.
The information collected by wearables comprise of highly sensitive personal data such as health and medical information. Such data is subject to heightened protections under the GDPR (data concerning health is ‘special category’ data under the GDPR) which we have addressed in more detail above. Fitness trackers and wearables should be designed in a privacy-focused way with the personal data collected limited to what is necessary to provide the intended service. No data should be collected until such time as the user has been presented with a privacy notice that explains how the data will be processed in a manner that complies with the requirements of Articles 12 and 13 of the GDPR. It is likely that consent will need to be obtained from users to ensure that the controller has a valid legal basis under Articles 6 and 9 of the GDPR to process the special category data. An explicit (ie, tick box) consent will need to be presented to the user and the form of consent must comply with the requirements of Articles 7 and 9 of the GDPR to ensure that the user is fully informed of the manner in which the data will be processed including to which third parties the data will be shared and for what purposes. As wearables will often share data collected on device with other fitness providers to provide enhanced functionality for the user, providers should implement clear data sharing and data processing agreements. Given the sensitivity of this data, controllers are also expected to apply a high degree of security measures to ensure that the data collected by the wearables is not subject to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
Furthermore, the Health Research Regulations 2018 require that data processors who process personal data for health research must obtain explicit consent from the data subject to do so.
The HSE’s National Service Plan for 2024 sets out a series of objectives for enhancing healthcare and particularly to move away from a treatment focussed health system and toward a culture of prevention.
The National Environmental Health Service protects public health by “preventing environmental factors which may cause ill health or reduce your quality of life”. Environmental Health Officers enforce regulation in areas such as cosmetic products, sunbed control and tobacco control and issue guidance on unregulated areas which it identifies as public health risks (eg, gyms or leisure centres) (HSE - About the Environmental Health Service. Retrieved from here).
The Sláintecare Implementation Strategy and Action Plan 2021-2023 (Government of Ireland, Sláintecare Implementation Strategy and Action Plan 2021-2023. Retrieved from here) lists “Prevention and Public Healthcare” as amongst its fundamental principles. This principle informed the Sláintecare Reform Programme which involved a number of projects including implementing the Health Service Capacity Review and the eHealth platform.
In the future, preventative healthcare will likely drive regulation as a response to climate health hazards. For example, the most common climate health hazard at present in Ireland is ultraviolet radiation to outdoor workers. The National Cancer Strategy 2017-2026 (Government if Ireland. National Cancer Strategy 2017-2026. Retrieved from here) recommends the Department of Health develop a national skin cancer prevention plan.
There has been increased entry of non-healthcare companies into the medical technology market in recent years.
Some of this was due to emergency situations during the COVID-19 Pandemic, for example some companies repurposed their manufacturing facilities to collaborate with medical device companied and produce ventilators. This helped to avoid a shortage of ventilators.
In other instances, technology companies have partnered with traditional medical companies in order to develop virtual care services.
However, non-healthcare companies attempting to enter the market face a number of challenges. Where non-healthcare companies enter the healthcare market and introduce new technologies, they may lack the expertise to produce equipment which meets clinical and regulatory standards.
Non-healthcare companies hoping to enter the market face a complex regulatory eco-system. It can also take many years to gain access to the healthcare market due to the requirement for clinical trials and regulatory approvals. This time delay is exacerbated by the requirement to obtain insurance following approval.
Furthermore, concerns regarding privacy and data security are often leveraged at non-healthcare companies entering the field.
A number of technologies have enabled enhanced use of connected devices in digital healthcare. The Internet of Things (IoT) connects medical devices and allows for real-time data exchange and cloud computing provides scalable storage of data. The developing regulatory framework will improve predictability for digital healthcare businesses.
The IoT facilitates telemedicine allowing for virtual consultations and reducing the need for in-person visits. In single hospitals telehealth may reduce hospital admissions. Telehealth will also allow for remote health monitoring from home (HSE Telehealth Roadmap 2024 – 2027 retrieved from here).
The Health Products Regulatory Authority (“HPRA”) is responsible for regulating medical products, and can recall products, inspect offices and ask for information to be provided.
There are a number of legal bases for liability in Ireland including:
Tort
Manufacturers owe a duty of care to anyone to whom it is reasonably foreseeable could suffer loss or damage as a result of their product.
Contract
Under the Sale of Goods Act 1893, as amended by Sale of Goods and Supply of Services Act 1980.
Criminal
Criminal sanctions are provided for under S.I. No 199/2004 implementing the European Communities (General Product Safety) Regulations 2004.
Statutory
Sanctions are provided for in the Liability for Defective Products Act 1991, as amended.
We are not aware of any regulatory or judicial decisions relation to claims of inability in this jurisdiction.
Managing cybersecurity risk is crucial, especially as the Internet of Medical Things ("IoMT”) and the health service becomes increasingly integrated.
Inter-connected medical software and devices present increased cybersecurity risks. Cybersecurity risks are also exacerbated where medical technologies operate on outdated software. The sensitive nature of healthcare leads to increased risk where a cybersecurity breach occurs in the IoMT.
Cloud Computing
Cloud computing, meaning the delivery of instantaneous computing resources (eg, data resources) over the internet, offers many advantages to healthcare organisations but it also may be vulnerable to data breaches, hacking and unauthorised access to patient data. The DPC has advised on a number of cybersecurity measures which organisations can take to protect themselves and developed guidance on securing cloud-based environments.
On Premises and Local Computing
On premises and local computing also presents cybersecurity risks. Mobile devices, such as smartphones, laptops and tablets may be stolen and logged into if left unattended and unlocked. Furthermore, even where a device is locked a weak password often increases cybersecurity risks. Healthcare organisations should regularly conduct IT mapping exercises and system audits to ensure the IT environment is secure and up to date. These obligations should be imposed on an organisation’s IT service providers in contractual arrangements, but ultimate responsibility will likely still rest with the relevant healthcare organisation or provider as controller.
Furthermore, computers being located where members of the public can view the screen or insecure methods for disposing of physical records can also present risks to cybersecurity.
Contractual Measures to address Cybersecurity Concerns
Contractual protections with regard to cybersecurity breaches may also include (i) ensuring that all parties have sufficient cyber insurance; (ii) including clauses to clarify indemnity and liability; and (iii) contractual language to inform responses to a data breach or cyber attack.
Information Technology Policies to address Cybersecurity Concerns
Under Article 32 of the GDPR, controllers must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks to personal data.
Healthcare organisations should also include data protection and cybersecurity clauses in employee and client contracts. Examples of technical and organisational measures which healthcare organisations can take include the pseudonymisation and encryption of personal data, automatic screen savers, firewalls and incident response plans.
Healthcare providers will also be subject to the NIS2 Directive (EU 2022/2555) which will come into effect from 17 October 2024, to implement a range of cybersecurity measures and training including governance arrangements to ensure that they have a high level of cybersecurity and preparedness and that they notify certain security incidents to the National Cyber Security Centre.
There is very little regulation associated with the IoMT.
The European Data Act (Regulation (EU) 2023/2854) entered into force on 11 January 2024 and will be applicable from 12 September 2025. It applies to any connected product on the IoT which generates or collects data concerning its performance, use or environment. This includes data related to “health and lifestyle equipment” or “medical and health devices”. It is expected that devices such as fitness trackers and pacemakers will therefore be caught by the Act. The Data Act facilitates the sharing of data between manufacturers and service providers of connected products to foster innovation and encourage data sharing. From 2026, the design of medical IoT devices must allow users of these products and services to directly access user-generated data. Users will also have a right to share and transfer their data between providers to improve interoperability within the EU.
The EU Commission has also introduced the MDR which outlines requirements for medical devices and the In Vitro Diagnostic Medical Devices Regulation (“IVDR”) outlines requirements for IVDs. Both the MDR and IVDR apply to all Member States.
The General Product Safety Regulation will also come into force in December 2024 and will only permit products to be sold in the EU if the product has been deemed “safe” within the meaning of the Product Safety Regulation. It will also require businesses to inform users of any risks associated with the products supplied.
On a global scale the Medical Devices Single Audit Program (“MDSAP”) (IMDRF - About MDRF. Retrieved from here) is an initiative aimed at harmonising medical device regulatory requirements across participating countries. Currently Australia, Brazil, China, Japan, the United Kingdom and the United States of America participate in the MDSAP. The World Health Organization is an affiliate and the European Union is recognised as an Official Observer.
Companies which are transitionally outside of the healthcare industry face a number of challenges when endeavouring to enter the market and offer software as a medical device technology. This includes navigating a complex regulatory framework they may be unfamiliar with and assuaging concerns regarding privacy and data security which are often leveraged at non-healthcare companies entering the field.
The IVDR defines ‘‘in vitro diagnostic medical device[s]” as encompassing a number of listed technologies used for certain medical purposes including predicting treatment response or reactions. Software is among the medical devices listed by this definition.
The IVDR stipulates, however that software is only an invitro diagnostic medical device “when specifically intended by the manufacturer” to be used for the purposes set out in the definition. Software for general purposes, even if it is being used in a healthcare setting, does not qualify as an in vitro medical device.
The MDR provides for categorisation of medical devices into four risk classes (Class I, Class IIa, Class IIb and Class III). A different conformity assessment procedure applies prior to being granted market access depending on the risk class of the product. Devices identified as being higher risk will undergo increased scrutiny as compared to those which are high risk.
The MDR which became applicable in 2021 includes transitional provisions until 2025. According to the European Commission, these transitional provisions will help to avoid market disruption. On the topic of whether the MDR will be able to keep up with future progress, the European Commission goes on to note in the questionnaire that the MDR will “enable the sector to produce safer and more innovative devices and help address future challenges” (European Commission - Questions & Answers: Application of Regulation on Medical Devices – EU rules to ensure safety of medical devices dated 26 May 2021. Retrieved from here).
This will include products which using AI and machine learning which will fall within the definition of medical device under Article 2(1) of the MDR. AI models will be regulated by the EU Artificial Intelligence Act (“AI Act”). Please see Section 11.1 and 11.2 for further detail on AI machine learning.
The Medical Council states in its guidance that telemedicine “involves the exchange of information between doctors and patients, or between doctors and professional colleagues, for the diagnosis, treatment and prevention of disease and injuries, and for research, evaluation and continuing education”.
In Ireland, the HSE established a division responsible for the delivery of technology to support healthcare provision across Ireland. eHealth Ireland runs a national Telehealth Programme, which focuses on four workstreams:
Video Enabled Healthcare
The HSE enables online health appointments for non-urgent care, getting results from healthcare professionals, mental health care and chronic disease management. The HSE also offers a blended approach, meaning that some encounters with healthcare professionals are in person, and some online.
Remote Health Monitoring
The HSE currently offers Virtual Wards, which are promoted as being safe and efficient alternatives to bedded care.
Online Supports and Therapies
This initiative has health information and signposting opportunities, self-help opportunities, online one-on-one or group supports and video consultations.
Engagement, Research and Evaluation
This initiative sets out objectives for research and collaboration, in order to promote evidence-based practices and to make research a core part of the health service.
While telehealth services are permitted in Ireland, there are no specific regulatory requirements. However, telemedicine platforms are required to comply with applicable laws, including, for example, data protection legislation.
Covid-19 Pandemic Response
In response to the COVID-19 outbreak, the HSE published Operational Governance Guidance for Telehealth Implementation. Furthermore, to support the implementation of Telehealth in community settings during COVID-19, the HSE published an Operational Governance Guidance for Telehealth Implementation – community services.
Registration and Education of Healthcare Professionals
All Medical Practitioners must be registered in Ireland with the Medical Council and this includes practitioners providing telemedicine services.
Similarly, regarding the provision of other telehealth services:
Insurance Requirements
There are no specific insurance requirements for the provision of telemedicine services in Ireland.
However, pursuant to the Medical Practitioners (Amendment) Act) 2007, all Medical Practitioners must have professional medical indemnity up to a specified level which varies for different specialties.
Furthermore, all healthcare professionals who are providing cross-border healthcare must have professional liability insurance pursuant to the European Union (Application of Patients’ Rights in Cross-Border Healthcare) (Amendment) Regulations 2015.
Data Protection Requirements
Telemedicine services are subject to the same principles that apply in the context of traditional consultations. This includes the requirement to protect a patient’s privacy by keeping records and other information about patients securely. This is of particular importance in the context of telemedicine services. It is integral that strong security measures should be taken to protect the confidentiality inherent in the doctor-patient relationship.
The Medical Council Guide to Professional Conduct and Ethics states that doctors working in telemedicine should make every effort to ensure that notes taken about a patient are place in the patient’s medical record with their general practitioner as soon as possible.
Applicable law provides criteria for security systems to protect patient information
Under Article 32 GDPR, controllers must implement appropriate technical and organisational measures to ensure that patient data is subject to appropriate technical and organisational security measures to ensure that the data collected by the wearables is not subject to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed. The standard set by the GDPR allows controllers to consider the costs of implementation alongside the scope, context and purposes of processing as well as the risks that a security incident would pose to the rights and freedoms of natural persons. Examples of technical and organisational measures can include pseudonymisation and encryption of personal data, restricted access controls, network segregation and regular security and penetration testing. Where telemedicine providers rely on video conferencing and electronic health records as part of the delivery of its services to patients, it will need to ensure appropriate data protection measures are in place by design and default.
Jurisdictional Requirements
As noted above, if a doctor based in Ireland is providing telemedicine services in Ireland or in any Member State, they must be registered with the Irish Medical Council.
Doctors based in EU or EEA can also provide certain telemedicine services to patients in Ireland provided they are appropriately qualified and registered with a professional body in their jurisdiction.
Legal Status of Video Platforms such as Zoom and Microsoft Teams
There are no specific legal requirements for video platforms such as Zoom or Microsoft Teams separate to general obligations under data protection and cybersecurity legislation. Such platforms must ensure they have in place appropriate data processing clauses in their service contracts and provide adequate technical and organisational measures to ensure the security of data collected and stored on video platforms.
From 17 October 2024, video platforms that operate as cloud-based service providers may be subject to the NIS2 Directive (Directive (EU) 2022/2555) if considered a service of high criticality. If in scope for NIS2, video platforms will be subject to greater cybersecurity risk management measures, increased governance oversight and incident reporting obligations to provide a common level of cybersecurity across essential or critical services within the EU.
There is no specific legislation dealing with payment for telehealth services, either in the public or private sector.
The Medical Council ‘Guide to Professional Conduct & Ethics for Registered Medical Practitioners’ (Medical Council - Guide to Professional Conduct and Ethics for Registered Medical Practitioners 2024. Retrieved from here) is equally applicable to Medical Professionals whether they are providing their services in person or via telemedicine. The Guide states that fees should be appropriate with respect to the services provided and a schedule of fees/envisaged costs should be made available to patients in advance of the consultation and treatment.
Telehealth may be covered by health insurance providers.
The IoMT is an interconnected infrastructure of medical devices and software enabled by a number of technological advancements including cloud computing, artificial intelligence, sensors and data sources and high-speed 4G/5G networks.
The IoMT has a wide range of applications in healthcare. For example IoMT devices can assist in diagnostic by tracking vital signs and bodily parameters, gathering this data and providing it in real time for accurate evaluations.
Security risks in the IoMT include power attacks (draining of batteries or power sources), remote hacking of devices, disrupting of device functionality and unauthorised copying of devices.
The impact of 5G networks on digital healthcare is expected to include online medicine instruction and online collection, storage and use of medical data and images as well as remote surgery, supply chain management, contact tracing and rapid health service deployments (Siriwardhana, Yushan, Gurkan Gur, Mika Ylianttila, and Madhusanka Liyanage - “The Role of 5G for Digital Healthcare against COVID-19 Pandemic: Opportunities and Challenges” 7, no. 2 (November 2020). Retrieved from here). This is achieved through leveraging 5G’s high-speed networks and ability to facilitate real-time data transfer.
The European Parliament decision establishing the Digital Decade Policy (EU) 2015/2120 lists technological neutrality as one of its key principles meaning that “All technologies and transmission systems able to contribute to the achievement of the gigabit connectivity, including the current and upcoming advancements of fibre, satellite, 5G or any other future ecosystem and next generation Wi-Fi should therefore be treated equally, where they have equivalent network performance” (Decision (EU) 2022/2481 of the European Parliament and of the Council of 14 December 2022 establishing the Digital Decade Policy Programme 2030 (Text with EEA relevance). Retrieved from here).
The use of personal data in digital healthcare is primarily regulated by the GDPR and the Data Protection Acts 1988–2018. Information relating to a person’s health is special category data under the GDPR and is subject to greater protections (as explained further above).
Where health data is collected for the purpose of health research, the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (as amended) will apply. The research body must obtain the explicit and informed consent of data subjects to use their personal information. If it is not possible to obtain explicit consent, controllers may apply to the Health Research Consent Declaration Committee for a declaration waiving the explicit consent requirement where the public interest in conducting the health research “significantly outweighs” the public interest in obtaining their explicit consent.
Medical Practitioners must also ensure that patients have given their consent to conduct the consultation through telemedicine and consent to any treatment provided.
As with traditional consultations, Medical Practitioners must ensure that:
If a data subject requests access to their health data and a medical practitioner believes that providing access will cause serious harm to the data subject (whether physical or mental), the medical practitioner can refuse access under the Data Protection (Access Modification) (Health) Regulations 2022.
Patient safety is of paramount importance in the delivery of appropriate healthcare. Accordingly, privacy and security are key enforcement areas in terms of healthcare IT. The Irish Data Protection Commission has wide-ranging powers and can impose substantial sanctions for breaches of the GDPR. Further, data subjects have the right to bring actions for material and non-material damages in the courts.
Where a controller appoints a data processor to process personal data on its behalf, both parties must enter a written data processing agreement that meets the requirements of Article 28 GDPR. Where two or more parties are working together, they may be considered “joint controllers” if they jointly determine the purposes and means of processing personal data. Joint controllers should enter into a written contract to set out the responsibilities of each party, in particular regarding the liability of the parties.
Any medical devices using AI technology to improve functionality should be aware of the new cybersecurity risks posed by their use and their interoperability, security and resilience levels must be considered in this context.
The use of confidential or sensitive medical information in AI tools, for example in natural language processing “virtual assistants” or to train AI models, remains a significant data protection concern. Any processing of personal data in these tools will require that all requirements of the GDPR such as clear transparent information on how the data would be processed, shared, identifying a legal basis for processing, ensure a high level of security and confidentiality etc. are complied with and that compliance is maintained on an ongoing basis. Where consent is obtained, it must be possible to have any personal data deleted from the relevant AI tool if consent is revoked. Without appropriate anonymisation or redaction measures in place, sensitive data can form part of the AI model’s core dataset which may cause sensitive personal data to resurface in an output at a later date. The GDPR has further specific prohibitions or restrictions on various categories of processing (eg, profiling, special category data, automated decision making, etc) that may be relevant in any particular use case.
An organisation acting as a controller or processor of data used by an AI tool may be liable for a GDPR breach. This can occur if personal data is used to train algorithmic models without having an appropriate legal basis, or where data subjects are not notified of the use (including any future use) of their data in the context of an AI model. The use of AI can also involve automated decision-making which is highly regulated under the GDPR. In addition, as the AI Act will impose fines of up to 6% of global turnover, a measured risk-based approach should be adopted that extends beyond GDPR compliance. A data protection impact assessment (as required under the GDPR) and a fundamental rights impact assessment (as required under the AI Act) should be conducted for the use of AI tools in the health sector where the tool will involve the high-risk processing of personal data.
The AI Act also recognises that AI providers, notified bodies, digital innovation hubs, testing experimentation facilities and researchers should have access to and use of high-quality datasets. The European Commission will establish common data spaces to facilitate data sharing between businesses and government in the public interest to provide trustworthy, accountable and non-discriminatory access to data for the training, validation and testing of AI systems. This includes non-discriminatory access to health data to train artificial intelligence algorithms in a privacy-preserving, secure, timely, transparent and trustworthy manner, and with an appropriate institutional governance.
The AI Act is an EU Regulation which aims to regulate the use of AI systems on the EU market. It is expected to enter into force in June 2024 and will come into force on a phased basis over a period of 36 months. Medical devices and in vitro medical devices that are class IIa or higher under the MDR will be classified as high-risk AI systems. Medical device manufacturers and providers will be required to comply with a number of obligations to ensure the safety and security of AI medical devices. These obligations will exist in addition to those under the Medical Device Regulation and the In Vitro Diagnostics Medical Devices Regulation. Moreover, any organisations that use AI systems in the provision of health or medical services will be required to implement appropriate technical and organisational measures to ensure the safety and security of the system being deployed, particularly where AI tools are used to make decisions in critical or emergency systems such as classifying and evaluating emergency calls.
The AI Act recognises the risk of bias and discriminatory impacts within AI systems. Medical devices classified as high-risk AI tools will be subject to data governance and management practices that are appropriate for the intended purpose of the AI system, particularly where the potential bias is likely to impact the health and safety of individuals. It is only permissible for high-risk AI systems to process special categories of personal data (such as health or medical information) where bias correction and deletion can be ensured.
Companies which develop and sell new digital healthcare technologies must navigate a growing legal and regulatory landscape. These regulations include:
Established IT Companies are adapting to operating in a regulatory healthcare environment as they introduce digital healthcare technology as part of their technology and service offerings by collaborating with existing healthcare providers. Established IT companies can also leverage their expertise in AI and cloud computing.
To properly support digital technologies, healthcare institutions must have robust IT infrastructure in place to adopt new IT technologies into their existing systems while maintaining a secure network.
Healthcare institutions should establish governance structures for cybersecurity-related matters such as the appointment of a Chief Technology Officer and/or a Chief Information Security Officer to ensure compliance with regulatory obligations including NIS 2 (see 13.2 Data Management and Regulatory Impact for further information). Proactive scanning and testing of networks should be conducted to identify vulnerabilities and security weaknesses as well as a 24/7 security monitoring service. Healthcare institutions should also carry out an IT mapping exercise and conduct tabletop cyber-attack simulations to get a comprehensive understanding of their technology landscapes.
Cloud-based service providers in the digital health space should consider if they fall within the scope of the EU Directive on the Security of Network and Information Systems (NIS1), and NIS2. NIS2 will come into force on 17 October 2024 and imposes enhanced obligations in relation to cybersecurity incidents. The health sector is designated as a sector of high criticality which captures medium and large healthcare providers, laboratories, research and development bodies and manufacturers. NIS2 imposes obligations on management in respect of the organisation’s cybersecurity compliance with onerous penalties imposed for failure to comply. It also sets out detailed risk management measures and requires the notification of incidents that compromise the availability, authenticity, integrity or confidentiality of data or services that has a significant impact on the provision of services.
The Data Act, NIS2 and the GDPR are some of the key regulations focused on building a European Health Data Space which seeks to empower individuals to take control of their health data for the delivery of healthcare across the EU and to provide a consistent, trustworthy, and efficient system for the reuse of health data for research and innovation, policy, and regulatory activities.
Patents
The Patents Act 1992 (as amended) governs the law relating to patents in Ireland. For an invention to be patentable, it must be novel, susceptible of industrial application and involve an inventive step. Patent applications can be made to the Irish Intellectual Property Office or the European Intellectual Property Office. While software is not by itself patentable in Europe, software based inventions are.
Patents can provide registered protection for up to 20 years. A short-term patent may be obtained without needing to demonstrate the invention’s novelty.
A patent cannot be obtained for, among other things:
Copyright
The Copyright and Related Rights Act 2000 (as amended) governs the protection and enforcement of copyright in Ireland.
Copyright subsists automatically upon the creation of literary, artistic and other tangible works (including computer programs and databases), protecting the physical manifestation of the work (as distinct from the underlying idea or principle) once the work in question meets the test of originality. Copyright exists in the software itself (source and object code) along with any accompanying elements such as sound and graphic designs.
In an employment context, the employer will be the owner of any copyright created by an employee in the course of their employment, unless they have agreed otherwise.
The owner of copyright in a work has the exclusive right to prevent or allow others to:
Trade Secrets
The protection of trade secrets is governed by the European Union (Protection of Trade Secrets) Regulations 2018 (Trade Secrets Regulations), which transpose Directive EU 2016/943 (the Trade Secrets Directive) into Irish law. Under this regime, a trade secret is protected if:
The Trade Secrets Regulations provide for prohibitive and corrective remedies to prevent and/or obtain redress for the unlawful acquisition, use or disclosure of the trade secret.
While the Data Act seeks to encourage greater data sharing to foster innovation, it also includes important safeguards to protect intellectual property and trade secrets. Manufacturers and service providers have a veto right to restrict data sharing and accessibility of trade secrets if doing so would lead to serious and irreparable economic loss.
Inventions and works of authorship created by AI technologies
Intellectual property laws in Ireland are designed to protect human creations rather than those developed by autonomous AI systems with no human input. The Patents Act 1992 envisages that the inventor will be a natural person and requires the inventor or joint inventors to be mentioned on the patent application. The Copyright and Related Rights Act 2000 states that, in the case of computer-generated works where the author is not an individual, the authorship of these works will vest in “the person by whom the arrangements necessary for the creation of the work are undertaken”. This implies that the AI model must be acting on the instructions of a human, rather than the AI system acting autonomously.
In Ireland, companies can obtain corporation tax relief in certain circumstances if they have qualifying assets under the Knowledge Development Box regime. Qualifying assets include computer programs and a patented or patentable inventions.
Obtaining registered intellectual property protection in the form of a patent across relevant jurisdictions is costly and can be protracted. The speed at which digital technologies are developing in the current landscape can often mean that the technology will be obsolete and outdated by the time the application is approved. In relation to patents, once the patent is published, all details of the patent are publicly disclosed even if the application does not proceed to registration. A patent will provide protection for 20 years and cannot be renewed. Once the 20-year period expires, the patent can be freely used by the public.
Copyright has a longer period (being the life of the author plus 70 years) and the protection evolves as the software itself evolves provided it has the requisite standard of originality. There is no copyright register in Ireland or the EU and so the owner can only enforce its rights by demonstrating there has been, in effect, copying by an infringer of its copyright. This means that the rights cannot be enforced against a third party who separately and independently (and without copying a work already protected by copyright) develops the same or a similar software program.
Under the Trade Secret Regulations, again while there is no formality to claiming trade secret protection once it has been protected as a trade secret, the remedies available to the trade secret holder are “negative” rights, which include prohibition of the use of trade secret, prohibition of the production or use of infringing goods, adopting corrective measures and the destruction (or delivery) of all or part of any data embodying the trade secret.
Digital healthcare products provided directly to consumers, such as medical and fitness apps, will be subject to terms and conditions or end-user licensing agreements which grant the user permission to use the software contained in the app. Cloud services are generally subject to a “Software as a Service” or “SaaS” Agreement.
In agreements between commercial entities, the scope of licence is typically defined. The parties should consider the appropriate ownership of the intellectual property including the ownership of any bespoke features or improvements. The strength of warranties should also be considered as to the completeness, accuracy and usefulness of the licensed data, data protection compliance, the ownership of background IP and IP that is bespoke for the individual licensing the software.
Knowledge Transfer Ireland is the national body tasked with facilitating the transfer of academic and state-funded expertise and technology to businesses. They produce model agreements which typically form the basis for the licensing of university-generated IP to spin-out companies or industry investors in return for royalties and for collaborative developments between industry and academia. IP owned or developed by academic institutions may also be assigned provided the transfer is in accordance with State Aid rules.
Private sector technology companies will often enter into negotiated contractual arrangements. In industry funded arrangements, the IP rights will often be assigned to the entity providing financial support for the research and development with a right to use the intellectual property reserved for the university or healthcare institution to continue to use the intellectual property for teaching and research purposes.
Clear research and development agreements should be negotiated prior to the creation of collaborative developments. To address pre-existing intellectual property, the allocation of ownership of developed intellectual property rights and how these rights can be exploited by the parties. In most cases, it will be most appropriate for one of the parties to take ownership of the intellectual property that is jointly developed. Joint ownership of IP can give rise to complex management arrangements.
The liability related to patient care resulting from decisions made using digital health technologies, particularly those based on data analytics and AI, will continue to be governed by the existing legal framework of Product Liability, Contractual Protections and Negligence.
Bias in AI before the injury can be addressed by the owner ensuring there is a diverse data group informing the AI and through regularly auditing AI models for bias.
After an injury takes place the AI owner can address by transparently addressing bias-related incidents and by implementing fairness-aware algorithms to mitigate bias.
Managing liability resulting from third-party vendors’ products or services involves contractual safeguards, due diligence and robust cybersecurity practices to protect healthcare institutions. The principles of negligence may also apply.
Ten Earlsfort Terrace
Dublin 2
D02 T380
Ireland
+35 31 920 1298
dublin@arthurcox.com www.arthurcox.com/contact/dublin/