Digital Healthcare 2024 Comparisons

Last Updated June 27, 2024

Contributed By Arthur Cox

Law and Practice

Authors



Arthur Cox is one of Ireland's leading law firms. It is an “all-island” law firm with offices in Dublin and Belfast. The firm also has offices in London, New York and San Francisco. Its practice encompasses all aspects of corporate and business law providing a comprehensive service to an international client base ranging from established global leaders and multinational organisations to government agencies and statutory bodies, public and private companies, banks and financial institutions to new players in emerging industry sectors.

Perspectives on digital healthcare, digital medicine and digital therapeutics will vary depending on the party in question.

Healthcare Provider

Healthcare providers, whose expertise lie in patient wellbeing and treatment, are often challenged by resource constraints and administrative burdens.

Telemedicine may be viewed as a method of alleviating some of the significant pressures which have been placed upon the health service in recent years, in particular by the COVID-19 Pandemic. Telemedicine is defined broadly as “the delivery of healthcare services through information and communication technologies”. Telemedicine entails services such as opinions, consultations and diagnosis being delivered by registered healthcare practitioners to patients using online platforms or health apps. During this juncture, telehealth facilitated access to health services and telemedicine can provide support to healthcare providers and therefore enhance patient care.

Patient Consumer

From a patient perspective, limiting travel time and as a result, the time spent away from their work, school and families, have all been identified as key factors encouraging the growth of digital healthcare in Ireland. Digital healthcare devices, such as wearables, health apps and online portals can increase personalisation and convenience of treatment plans for patients (HSE Telehealth Roadmap 2024 – 2027, retrieved from here).

Regulatory Perspective

From a regulatory perspective, capturing personal health information through technology platforms changes the way in which sensitive data is being utilised and stored. Regulators must balance the convenience of telehealth with the need to ensure patient safety, data privacy and adherence to standards. The HSE recognises that a coherent and strategic plan for the development of telehealth in Ireland is required to ensure that it is safe, effective, efficient and scalable.

Technology Perspective

For many years, software vendors have provided digital solutions for GP and pharmacy practices in Ireland. These systems operate independently of each other.  Emergency legislative changes in March 2020 allowed for the transfer details of a prescription between GP and pharmacies via secure email.

Technology platforms and clinical evidence (like surgery outcomes) work together: the data collected from one informs the other and vice versa.

There is no definition of digital health in Irish legislation. Generally, digital health is understood to encompass standalone software, health technologies and apps used in the healthcare sector or in conjunction with other products.

The HSE uses the World Health Organisation (WHO) definition of digital health as the use of digital, mobile and wireless technologies to support the achievement of health objectives. Digital health includes the general use of information and communication technologies for health as well as advanced technologies for managing data and information such as artificial intelligence and genomics (WHO guideline: recommendations on digital interventions for health system strengthening, Geneva. Retrieved from here).

There is no definition of “digital medicine” in Irish legislation. Digital medicine is generally understood as an effort to use digital technologies to improve the performance of surgery and assist in better performance for better delivery of medicine (Retrieved from Health in the future).

The Health Products Regulatory Authority (HPRA) is the regulator of health products in Ireland and therefore its regulatory remit extends to providers of health products in Ireland, which may include telehealth and digital medicine providers.

As Ireland is a hub for technological enterprise, including digital health (the Irish Medtech Association had over 250 members as of 2023), it is important that this environment is underpinned by appropriate regulation.

Digital health and digital medicine are largely caught by existing legislative frameworks (eg, product liability, data protection). Furthermore, there are regulatory inconsistencies across European Union (EU) Member States. Most Member States developing frameworks for digital health have done so individually and even the definitions of terms such as digital health and digital medicine are not consistent across different Member States (Digital health on prescription - is Ireland ready? Retrieved from here). 

The In Vitro Diagnostic Medical Devices Regulation (EU)2017/746 (IVDR) and the Medical Device Regulation (EU) 2017/745 (nationally implemented by S.I. No 256/2022 and S/I/ No 257/2022) (the MDR) have led to significant changes to the digital health and digital medicine landscape. The MDR has helped to fill regulatory gaps by implementing stricter clinical evaluation and evidentiary requirements for products on the market. Under the MDR Medical devices are products or equipment intended for specific medical purposes including diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease.

In recent years, the technologies enabling new capabilities in digital health and digital medicine have greatly expanded and evolved.

Digital Health

In digital health some key technologies include:

  • Telemedicine:
    1. Telemedicine is defined broadly as “the delivery of healthcare services through information and communication technologies”.
    2. Telemedicine entails services such as opinions, consultations and diagnosis being delivered by registered healthcare practitioners to patients using online platforms or health apps.
  • Healthcare applications, which are applications hosted on connected wearables and mobile devices which aim to monitor and improve health/wellbeing.

Digital Medicine

In digital medicine, key technologies include:

  • Artificial intelligence (AI):
    1. There is a growing reliance on AI in the healthcare sector. The WHO defines AI as “an area of computer science that emphasizes the simulation of human intelligence processes by machines that work and react like human beings” (WHO Global strategy on digital health 2020-2025. Retrieved from here).
    2. The EU AI Act, the first standalone and comprehensive regulation governing AI, was adopted on 1 May 2024 and is expected to enter into force in June 2024.
  • 3D Printing for Healthcare, which is used for a number of purposes including creating medical devices and anatomical models which are patient specific.

In the fast-growing sector of digital health key emerging legal issues include the following:

  • Product classification:
    1. The convergence of medical devices, medicinal products and software requires that product classification is carefully considered to ensure regulatory compliance.
    2. Many EU Member States are designing assessment frameworks for digital health technologies individually. In the context of the EU Common Market, standardised product classification and assessment is preferable. 
  • Data protection and cybersecurity:
    1. As the use of AI systems in digital health develop, data protection concerns grow with it. It is integral that patient data is collected and handled in compliance with data protection law.
  • Commercial agreements:
    1. Structuring contracts for digital health collaborations, licencing, and partnerships in a swiftly changing landscape may prove challenging.
  • Liability:
    1. All products must comply with applicable product safety legislation in order to ensure user safety.

The Product Liability Directive 85/374/EEC (PLD) deals with no-fault liability for defective products and the resulting compensation. In 2022, the European Commission published a proposal to incorporate digital technologies into the Directive. The European Parliament adopted the PLD in March 2024. The updated PLD is intended to complement the MDR, the IVDR and the AI Act.

While there is no authority primarily responsible for regulating digital health and digital medicine in Ireland, there are a number of statutory bodies which are responsible for regulating different areas of the healthcare sector and may therefore have regulatory oversight on the provision of telemedicine services:

The Health Information and Quality Authority (HIQA)

HIQA is an independent statutory authority responsible for regulating and accrediting public hospitals and implementing quality assurance programmes. HIQA inspects the clinical and cost effectiveness of health technologies. Registered healthcare providers must notify HIQA about any incidents, events or changes within the institution. HIQA has also published several self-assessment tools, such as a self-assessment tool for national data collections. HIQA also carries out Health Technology Assessments, looking at clinical and cost effectiveness, as well as legal and ethical issues.

The Health Products Regulatory Authority (HPRA)

The HPRA is the Competent Authority for the regulation of health products, including medicines, medical devices, and cosmetics. Key enforcement areas for the HPRA include product safety and liability. Any medical products that are to be placed on the Irish market need to have a marketing authorisation from the HPRA. Furthermore, the HPRA has the power to demand information from healthcare institutions, as well as carry out investigations or inspections, revoking licenses and ordering recalls of medical products.

Other relevant organisations include:

  • the Competition and Consumer Protection Commission (the CCPC) which is responsible for enforcing consumer protection and general product safety legislation;
  • the Data Protection Commission (the DPC) which is the Irish supervisory authority for the purposes of the General Data Protection Rules (GDPR);
  • the Medical Council which is the regulatory body of medical doctors in Ireland and maintains the Register of Medical Practitioners. Medical Practitioners who provide telemedicine services to patients in Ireland must be registered with the Medical Council;
  • the National Standards Authority of Ireland (NSAI) which creates, maintains, promotes and issues accredited certification of products, services and organisations with recognised standards; and
  • the Department of Health which is the government department tasked with the delivery of policies in the healthcare sector.

EHealth Ireland has recently published the HSE Telehealth Roadmap 2024-2027 (the “Roadmap”) (HSE Telehealth Roadmap 2024 – 2027 retrieved from here) to improve population health outcomes through facilitating increased accessibility to and quality of digital health supports and services. The Roadmap identified the following three methods through which telehealth delivers virtual care to patients in Ireland:

  • remote consultations and care;
  • remote health monitoring; and
  • online supports and therapies.

The introduction of electronic prescriptions (“ePrescribing”) in Ireland also represents a significant development in the provision on telemedicine services in this jurisdiction. A change in legislation in 2020 in response to COVID-19 allowed the secure email of prescriptions.

Furthermore, the HSE’s National Service Plan 2022 (the “Plan”) (National Service Plan 2022. Retrieved from: https://www.hse.ie/eng/services/publications/serviceplans/hse-national-service-plan-2022.pdf) highlighted its intention to leverage the acceleration technologies such as telehealth by the Covid-19 pandemic in order develop new models of care which focus on the individual. The Plan identified maximising the potential use of telehealth as a crucial area of action to enhance services.

Medical Practitioners

  • The Medical Council regulates medical practitioners in Ireland. The Medical Council has reiterated in guidance provided to practitioners that the duty of care owed by a doctor to their patient applies equally in the telemedicine environment and a doctor’s office (Telemedicine Phone and Video Consultations - A Guide for Doctors. Retrieved from here).
  • All medical practitioners, whether providing telemedicine or in-person healthcare services, are obliged to operate in compliance with applicable legislation and ethical standards.
  • Medical practitioners who do not meet the standards of competence which can reasonably be expected may be subject to the complaints and disciplinary procedures of the Medical Council.
  • The Medical Council’s Preliminary Proceedings Committee assesses complaints made against a Medical Professional (Complaints Information for Doctors. Retrieved from here).

Privacy and Security

  • Privacy and security are key enforcement areas in terms of healthcare IT and the processing of personal data.
  • As telemedicine involves the use of technology to communicate sensitive patient data, such as medical history and treatments, it is crucial to protect against unauthorised access.
  • The GDPR require data controllers (in this case the telemedicine supplier) to be responsible for the personal data they process and to ensure that they have appropriate security measures in place to protect the integrity and confidentiality of patient data.
  • Information relating to a person’s health is considered to be a special category of personal data under the GDPR and subject to additional protection. Article 9(1) of the GDPR prohibits the processing of special category personal data unless an exception in Article 9(2) of the GDPR applies. These exceptions should be carefully considered by a telemedicine provider.
  • The DPC has wide-ranging powers and can impose substantial sanctions for breaches of the GDPR.
  • Data subjects also have the right to bring actions for material and non-material damages through litigation.

Patient Safety

  • Patient safety is of paramount importance in the delivery of appropriate healthcare. Accordingly, product safety and product liability are key enforcement areas for the HPRA and CCPC.
  • Digital healthcare has the potential to vastly improve patient safety however, at present there is a dearth of research on how patient safety and digital healthcare interact in reality.
  • Medical Practitioners providing telemedicine must be satisfied that the services they provide are safe and suitable for patients. Medical practitioners are also obliged to explain to patients that services such as physical examination cannot be undertaken via telemedicine and to advise as to resulting additional risks.

The Competition and Consumer Protection Commission (CCPC) and the Data Protection Commission (DPC) are both non-healthcare regulatory agencies involved in digital healthcare.

The CCPC

The CCPC enforces all aspects of competition and consumer protection law in Ireland, including their application to healthcare. The CCPC is also responsible for Articles 30-32 of the Digital Services Act which apply to online market places. The CCPC in its ‘Strategy 2024-2026’  (CCPC Strategy 2024. Retrieved from here) notes that as the regulation of digital and data space evolves so too will the CCPC portfolio and capacities.

The CCPC has received additional responsibilities and powers in recent years with respect to digital and data markets and it lists the importance on being clear on where it can “make the biggest impact” with respect to digital markets and data as being one of its overarching concerns.

The CCPC ensures that any marketing statement relating to healthcare is accurate and validly proven. This aligns with the HSE’s Guiding Principles for Telehealth (as per the Roadmap) which prioritise “high quality care… regardless of the medium”.

Wellness, Fitness and Self Care

While less regulated, these areas are gaining attention. The World Health Organisation proposes that self-care interventions can:

  • empower individuals and communities to manage their own health and wellbeing;
  • strengthen national institutions with efficient use of domestic resources for health; and
  • improve primary healthcare and contribute to achieving universal healthcare (WHO Self-care for health and well-being. Retrieved from here).

The Impact of New Technologies

New technologies drive cooperation among regulatory bodies as they facilitate data sharing and communication.

Preventative healthcare is generally understood to be the application or taking of measures to prevent disease and disability. Diagnostic care on the other hand involves treating or diagnosing a health issue which the client is already experiencing.

Depending on the healthcare service provided, method of service delivery and/or equipment used, different legislation and standards will govern a particular scenario and different regulators will have jurisdiction. For example, in the delivery of online health services, various regulatory regimes may apply, including but not limited to healthcare professional registration requirements, medical device regulation, prescription regulation and data protection. There is no singular specific regulatory regime that would apply to either preventative or diagnostic healthcare but instead, regulation will depend on the factual circumstances.

A number of factors have contributed to the increased use of preventative healthcare measures in Ireland. The HSE states that preventative healthcare will be necessary to sustain health services due to current demographic trends and the resulting projections (Department of Health Statement of Strategy 2023-2025. Retrieved from here).

The COVID-19 Pandemic has also influenced the adoption of preventative healthcare in Ireland. The Pandemic influenced an increase in preventative healthcare spending in Ireland with the Central Statistics Office (“CSO”) reporting in 2023 that in 2021 “spending on preventive care showed continued growth with an annual increase of 66%. This large rise can be attributed to the €686 million spent on COVID-19 testing and tracing along with EUR508 million spent on COVID-19 vaccinations. Preliminary results for 2022 show a EUR2 billion growth in spending or 7% more than in 2021” (Central Statistics Office: System of Health Accounts 2021. Retrieved from here).

Cost saving is also a motivating factor for investment in preventative healthcare. The HSE in its 2024 Service plan notes that while preventative healthcare represents only 1% of its expenditure any investment in the area results in “two to four times” the economic benefit (HSE - Our National Service Plan 2024. Retrieved from here).

The World Health Organisation, in the “Regional digital health action plan for the WHO European Region 2023-2030” (WHO Regional digital health action plan for the WHO European Region 2023-2030. Retrieved from here), states that “by urging Member States to promote the digitalisation of their health system… transforming health systems and strengthening prevention and well-being” can be achieved.  In order to improve disease prevention, the WHO suggests strengthening digital literacy skills (with an emphasis on healthcare workforce).

Wellness and fitness data collected by wearables are not subject to the Medical Device Regulation, as these health apps and devices are not medical devices for the purposes of the Regulation, and thus are not directly regulated.  However, any personal user data collected will fall under the GDPR.

The information collected by wearables comprise of highly sensitive personal data such as health and medical information. Such data is subject to heightened protections under the GDPR (data concerning health is ‘special category’ data under the GDPR) which we have addressed in more detail above. Fitness trackers and wearables should be designed in a privacy-focused way with the personal data collected limited to what is necessary to provide the intended service. No data should be collected until such time as the user has been presented with a privacy notice that explains how the data will be processed in a manner that complies with the requirements of Articles 12 and 13 of the GDPR. It is likely that consent will need to be obtained from users to ensure that the controller has a valid legal basis under Articles 6 and 9 of the GDPR to process the special category data. An explicit (ie, tick box) consent will need to be presented to the user and the form of consent must comply with the requirements of Articles 7 and 9 of the GDPR to ensure that the user is fully informed of the manner in which the data will be processed including to which third parties the data will be shared and for what purposes. As wearables will often share data collected on device with other fitness providers to provide enhanced functionality for the user, providers should implement clear data sharing and data processing agreements. Given the sensitivity of this data, controllers are also expected to apply a high degree of security measures to ensure that the data collected by the wearables is not subject to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed. 

Furthermore, the Health Research Regulations 2018 require that data processors who process personal data for health research must obtain explicit consent from the data subject to do so.

The HSE’s National Service Plan for 2024 sets out a series of objectives for enhancing healthcare and particularly to move away from a treatment focussed health system and toward a culture of prevention.

The National Environmental Health Service protects public health by “preventing environmental factors which may cause ill health or reduce your quality of life”. Environmental Health Officers enforce regulation in areas such as cosmetic products, sunbed control and tobacco control and issue guidance on unregulated areas which it identifies as public health risks (eg, gyms or leisure centres) (HSE - About the Environmental Health Service. Retrieved from here).

The Sláintecare Implementation Strategy and Action Plan 2021-2023 (Government of Ireland, Sláintecare Implementation Strategy and Action Plan 2021-2023. Retrieved from here) lists “Prevention and Public Healthcare” as amongst its fundamental principles. This principle informed the Sláintecare Reform Programme which involved a number of projects including implementing the Health Service Capacity Review and the eHealth platform.

In the future, preventative healthcare will likely drive regulation as a response to climate health hazards. For example, the most common climate health hazard at present in Ireland is ultraviolet radiation to outdoor workers. The National Cancer Strategy 2017-2026 (Government if Ireland. National Cancer Strategy 2017-2026. Retrieved from here) recommends the Department of Health develop a national skin cancer prevention plan.

There has been increased entry of non-healthcare companies into the medical technology market in recent years.

Some of this was due to emergency situations during the COVID-19 Pandemic, for example some companies repurposed their manufacturing facilities to collaborate with medical device companied and produce ventilators. This helped to avoid a shortage of ventilators.

In other instances, technology companies have partnered with traditional medical companies in order to develop virtual care services.

However, non-healthcare companies attempting to enter the market face a number of challenges. Where non-healthcare companies enter the healthcare market and introduce new technologies, they may lack the expertise to produce equipment which meets clinical and regulatory standards.

Non-healthcare companies hoping to enter the market face a complex regulatory eco-system. It can also take many years to gain access to the healthcare market due to the requirement for clinical trials and regulatory approvals. This time delay is exacerbated by the requirement to obtain insurance following approval.

Furthermore, concerns regarding privacy and data security are often leveraged at non-healthcare companies entering the field.

A number of technologies have enabled enhanced use of connected devices in digital healthcare. The Internet of Things (IoT) connects medical devices and allows for real-time data exchange and cloud computing provides scalable storage of data. The developing regulatory framework will improve predictability for digital healthcare businesses.

The IoT facilitates telemedicine allowing for virtual consultations and reducing the need for in-person visits. In single hospitals telehealth may reduce hospital admissions. Telehealth will also allow for remote health monitoring from home (HSE Telehealth Roadmap 2024 – 2027 retrieved from here).

The Health Products Regulatory Authority (“HPRA”) is responsible for regulating medical products, and can recall products, inspect offices and ask for information to be provided.

There are a number of legal bases for liability in Ireland including:

Tort

Manufacturers owe a duty of care to anyone to whom it is reasonably foreseeable could suffer loss or damage as a result of their product.

Contract

Under the Sale of Goods Act 1893, as amended by Sale of Goods and Supply of Services Act 1980.

Criminal

Criminal sanctions are provided for under S.I. No 199/2004 implementing the European Communities (General Product Safety) Regulations 2004.

Statutory

Sanctions are provided for in the Liability for Defective Products Act 1991, as amended.

We are not aware of any regulatory or judicial decisions relation to claims of inability in this jurisdiction.

Managing cybersecurity risk is crucial, especially as the Internet of Medical Things ("IoMT”) and the health service becomes increasingly integrated.

Inter-connected medical software and devices present increased cybersecurity risks. Cybersecurity risks are also exacerbated where medical technologies operate on outdated software. The sensitive nature of healthcare leads to increased risk where a cybersecurity breach occurs in the IoMT.

Cloud Computing

Cloud computing, meaning the delivery of instantaneous computing resources (eg, data resources) over the internet, offers many advantages to healthcare organisations but it also may be vulnerable to data breaches, hacking and unauthorised access to patient data. The DPC has advised on a number of cybersecurity measures which organisations can take to protect themselves and developed guidance on securing cloud-based environments.

On Premises and Local Computing

On premises and local computing also presents cybersecurity risks. Mobile devices, such as smartphones, laptops and tablets may be stolen and logged into if left unattended and unlocked. Furthermore, even where a device is locked a weak password often increases cybersecurity risks. Healthcare organisations should regularly conduct IT mapping exercises and system audits to ensure the IT environment is secure and up to date. These obligations should be imposed on an organisation’s IT service providers in contractual arrangements, but ultimate responsibility will likely still rest with the relevant healthcare organisation or provider as controller.

Furthermore, computers being located where members of the public can view the screen or insecure methods for disposing of physical records can also present risks to cybersecurity.

Contractual Measures to address Cybersecurity Concerns

Contractual protections with regard to cybersecurity breaches may also include (i) ensuring that all parties have sufficient cyber insurance; (ii) including clauses to clarify indemnity and liability; and (iii) contractual language to inform responses to a data breach or cyber attack.

Information Technology Policies to address Cybersecurity Concerns

Under Article 32 of the GDPR, controllers must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks to personal data.

Healthcare organisations should also include data protection and cybersecurity clauses in employee and client contracts. Examples of technical and organisational measures which healthcare organisations can take include the pseudonymisation and encryption of personal data, automatic screen savers, firewalls and incident response plans.

Healthcare providers will also be subject to the NIS2 Directive (EU 2022/2555) which will come into effect from 17 October 2024, to implement a range of cybersecurity measures and training including governance arrangements to ensure that they have a high level of cybersecurity and preparedness and that they notify certain security incidents to the National Cyber Security Centre.

There is very little regulation associated with the IoMT.

The European Data Act (Regulation (EU) 2023/2854) entered into force on 11 January 2024 and will be applicable from 12 September 2025. It applies to any connected product on the IoT which generates or collects data concerning its performance, use or environment. This includes data related to “health and lifestyle equipment” or “medical and health devices”. It is expected that devices such as fitness trackers and pacemakers will therefore be caught by the Act. The Data Act facilitates the sharing of data between manufacturers and service providers of connected products to foster innovation and encourage data sharing. From 2026, the design of medical IoT devices must allow users of these products and services to directly access user-generated data. Users will also have a right to share and transfer their data between providers to improve interoperability within the EU.

The EU Commission has also introduced the MDR which outlines requirements for medical devices and the In Vitro Diagnostic Medical Devices Regulation (“IVDR”) outlines requirements for IVDs. Both the MDR and IVDR apply to all Member States.

The General Product Safety Regulation will also come into force in December 2024 and will only permit products to be sold in the EU if the product has been deemed “safe” within the meaning of the Product Safety Regulation. It will also require businesses to inform users of any risks associated with the products supplied.

On a global scale the Medical Devices Single Audit Program (“MDSAP”) (IMDRF - About MDRF. Retrieved from here) is an initiative aimed at harmonising medical device regulatory requirements across participating countries. Currently Australia, Brazil, China, Japan, the United Kingdom and the United States of America participate in the MDSAP. The World Health Organization is an affiliate and the European Union is recognised as an Official Observer.

Companies which are transitionally outside of the healthcare industry face a number of challenges when endeavouring to enter the market and offer software as a medical device technology. This includes navigating a complex regulatory framework they may be unfamiliar with and assuaging concerns regarding privacy and data security which are often leveraged at non-healthcare companies entering the field.

The IVDR defines ‘‘in vitro diagnostic medical device[s]” as encompassing a number of listed technologies used for certain medical purposes including predicting treatment response or reactions. Software is among the medical devices listed by this definition.

The IVDR stipulates, however that software is only an invitro diagnostic medical device “when specifically intended by the manufacturer” to be used for the purposes set out in the definition. Software for general purposes, even if it is being used in a healthcare setting, does not qualify as an in vitro medical device.

The MDR provides for categorisation of medical devices into four risk classes (Class I, Class IIa, Class IIb and Class III). A different conformity assessment procedure applies prior to being granted market access depending on the risk class of the product. Devices identified as being higher risk will undergo increased scrutiny as compared to those which are high risk.

The MDR which became applicable in 2021 includes transitional provisions until 2025. According to the European Commission, these transitional provisions will help to avoid market disruption. On the topic of whether the MDR will be able to keep up with future progress, the European Commission goes on to note in the questionnaire that the MDR will “enable the sector to produce safer and more innovative devices and help address future challenges” (European Commission - Questions & Answers: Application of Regulation on Medical Devices – EU rules to ensure safety of medical devices dated 26 May 2021. Retrieved from here).

This will include products which using AI and machine learning which will fall within the definition of medical device under Article 2(1) of the MDR. AI models will be regulated by the EU Artificial Intelligence Act (“AI Act”). Please see Section 11.1 and 11.2 for further detail on AI machine learning.

The Medical Council states in its guidance that telemedicine “involves the exchange of information between doctors and patients, or between doctors and professional colleagues, for the diagnosis, treatment and prevention of disease and injuries, and for research, evaluation and continuing education”.

In Ireland, the HSE established a division responsible for the delivery of technology to support healthcare provision across Ireland. eHealth Ireland runs a national Telehealth Programme, which focuses on four workstreams:

Video Enabled Healthcare

The HSE enables online health appointments for non-urgent care, getting results from healthcare professionals, mental health care and chronic disease management. The HSE also offers a blended approach, meaning that some encounters with healthcare professionals are in person, and some online.

Remote Health Monitoring

The HSE currently offers Virtual Wards, which are promoted as being safe and efficient alternatives to bedded care.

Online Supports and Therapies

This initiative has health information and signposting opportunities, self-help opportunities, online one-on-one or group supports and video consultations.

Engagement, Research and Evaluation

This initiative sets out objectives for research and collaboration, in order to promote evidence-based practices and to make research a core part of the health service.

While telehealth services are permitted in Ireland, there are no specific regulatory requirements. However, telemedicine platforms are required to comply with applicable laws, including, for example, data protection legislation.

Covid-19 Pandemic Response

In response to the COVID-19 outbreak, the HSE published Operational Governance Guidance for Telehealth Implementation. Furthermore, to support the implementation of Telehealth in community settings during COVID-19, the HSE published an Operational Governance Guidance for Telehealth Implementation – community services.

Registration and Education of Healthcare Professionals

All Medical Practitioners must be registered in Ireland with the Medical Council and this includes practitioners providing telemedicine services.

Similarly, regarding the provision of other telehealth services:

  • nurses and midwives must be registered with the Nursing and Midwifery Board of Ireland (“NMBI”);
  • dentists must be registered with the Dental Council of Ireland; and
  • pharmacists must be registered with the Pharmaceutical Society of Ireland (PSI).

Insurance Requirements

There are no specific insurance requirements for the provision of telemedicine services in Ireland.

However, pursuant to the Medical Practitioners (Amendment) Act) 2007, all Medical Practitioners must have professional medical indemnity up to a specified level which varies for different specialties.

Furthermore, all healthcare professionals who are providing cross-border healthcare must have professional liability insurance pursuant to the European Union (Application of Patients’ Rights in Cross-Border Healthcare) (Amendment) Regulations 2015.

Data Protection Requirements

Telemedicine services are subject to the same principles that apply in the context of traditional consultations. This includes the requirement to protect a patient’s privacy by keeping records and other information about patients securely. This is of particular importance in the context of telemedicine services. It is integral that strong security measures should be taken to protect the confidentiality inherent in the doctor-patient relationship.

The Medical Council Guide to Professional Conduct and Ethics states that doctors working in telemedicine should make every effort to ensure that notes taken about a patient are place in the patient’s medical record with their general practitioner as soon as possible.

Applicable law provides criteria for security systems to protect patient information

Under Article 32 GDPR, controllers must implement appropriate technical and organisational measures to ensure that patient data is subject to appropriate technical and organisational security measures to ensure that the data collected by the wearables is not subject to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed. The standard set by the GDPR allows controllers to consider the costs of implementation alongside the scope, context and purposes of processing as well as the risks that a security incident would pose to the rights and freedoms of natural persons. Examples of technical and organisational measures can include pseudonymisation and encryption of personal data, restricted access controls, network segregation and regular security and penetration testing. Where telemedicine providers rely on video conferencing and electronic health records as part of the delivery of its services to patients, it will need to ensure appropriate data protection measures are in place by design and default.

Jurisdictional Requirements

As noted above, if a doctor based in Ireland is providing telemedicine services in Ireland or in any Member State, they must be registered with the Irish Medical Council.

Doctors based in EU or EEA can also provide certain telemedicine services to patients in Ireland provided they are appropriately qualified and registered with a professional body in their jurisdiction.

Legal Status of Video Platforms such as Zoom and Microsoft Teams

There are no specific legal requirements for video platforms such as Zoom or Microsoft Teams separate to general obligations under data protection and cybersecurity legislation. Such platforms must ensure they have in place appropriate data processing clauses in their service contracts and provide adequate technical and organisational measures to ensure the security of data collected and stored on video platforms. 

From 17 October 2024, video platforms that operate as cloud-based service providers may be subject to the NIS2 Directive (Directive (EU) 2022/2555) if considered a service of high criticality. If in scope for NIS2, video platforms will be subject to greater cybersecurity risk management measures, increased governance oversight and incident reporting obligations to provide a common level of cybersecurity across essential or critical services within the EU.

There is no specific legislation dealing with payment for telehealth services, either in the public or private sector.

The Medical Council ‘Guide to Professional Conduct & Ethics for Registered Medical Practitioners’ (Medical Council - Guide to Professional Conduct and Ethics for Registered Medical Practitioners 2024. Retrieved from here) is equally applicable to Medical Professionals whether they are providing their services in person or via telemedicine. The Guide states that fees should be appropriate with respect to the services provided and a schedule of fees/envisaged costs should be made available to patients in advance of the consultation and treatment.

Telehealth may be covered by health insurance providers.

The IoMT is an interconnected infrastructure of medical devices and software enabled by a number of technological advancements including cloud computing, artificial intelligence, sensors and data sources and high-speed 4G/5G networks.

The IoMT has a wide range of applications in healthcare. For example IoMT devices can assist in diagnostic by tracking vital signs and bodily parameters, gathering this data and providing it in real time for accurate evaluations.

Security risks in the IoMT include power attacks (draining of batteries or power sources), remote hacking of devices, disrupting of device functionality and unauthorised copying of devices.

The impact of 5G networks on digital healthcare is expected to include online medicine instruction and online collection, storage and use of medical data and images as well as remote surgery, supply chain management, contact tracing and rapid health service deployments (Siriwardhana, Yushan, Gurkan Gur, Mika Ylianttila, and Madhusanka Liyanage - “The Role of 5G for Digital Healthcare against COVID-19 Pandemic: Opportunities and Challenges” 7, no. 2 (November 2020). Retrieved from here). This is achieved through leveraging 5G’s high-speed networks and ability to facilitate real-time data transfer.

The European Parliament decision establishing the Digital Decade Policy (EU) 2015/2120 lists technological neutrality as one of its key principles meaning that “All technologies and transmission systems able to contribute to the achievement of the gigabit connectivity, including the current and upcoming advancements of fibre, satellite, 5G or any other future ecosystem and next generation Wi-Fi should therefore be treated equally, where they have equivalent network performance” (Decision (EU) 2022/2481 of the European Parliament and of the Council of 14 December 2022 establishing the Digital Decade Policy Programme 2030 (Text with EEA relevance). Retrieved from here).

The use of personal data in digital healthcare is primarily regulated by the GDPR and the Data Protection Acts 1988–2018. Information relating to a person’s health is special category data under the GDPR and is subject to greater protections (as explained further above).

Where health data is collected for the purpose of health research, the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (as amended) will apply. The research body must obtain the explicit and informed consent of data subjects to use their personal information. If it is not possible to obtain explicit consent, controllers may apply to the Health Research Consent Declaration Committee for a declaration waiving the explicit consent requirement where the public interest in conducting the health research “significantly outweighs” the public interest in obtaining their explicit consent.

Medical Practitioners must also ensure that patients have given their consent to conduct the consultation through telemedicine and consent to any treatment provided.

As with traditional consultations, Medical Practitioners must ensure that:

  • patients’ consent is sought and obtained before providing treatment;
  • patients have the capacity to consent;
  • patients have been provided with sufficient information to enable them to make informed decisions about their care; and
  • patients are updated on changes to their condition, treatments or investigations proposed and that consent is continuously sought on this basis.

If a data subject requests access to their health data and a medical practitioner believes that providing access will cause serious harm to the data subject (whether physical or mental), the medical practitioner can refuse access under the Data Protection (Access Modification) (Health) Regulations 2022.

Patient safety is of paramount importance in the delivery of appropriate healthcare. Accordingly, privacy and security are key enforcement areas in terms of healthcare IT. The Irish Data Protection Commission has wide-ranging powers and can impose substantial sanctions for breaches of the GDPR. Further, data subjects have the right to bring actions for material and non-material damages in the courts.

Where a controller appoints a data processor to process personal data on its behalf, both parties must enter a written data processing agreement that meets the requirements of Article 28 GDPR. Where two or more parties are working together, they may be considered “joint controllers” if they jointly determine the purposes and means of processing personal data. Joint controllers should enter into a written contract to set out the responsibilities of each party, in particular regarding the liability of the parties.

Any medical devices using AI technology to improve functionality should be aware of the new cybersecurity risks posed by their use and their interoperability, security and resilience levels must be considered in this context.

The use of confidential or sensitive medical information in AI tools, for example in natural language processing “virtual assistants” or to train AI models, remains a significant data protection concern. Any processing of personal data in these tools will require that all requirements of the GDPR such as clear transparent information on how the data would be processed, shared, identifying a legal basis for processing, ensure a high level of security and confidentiality etc. are complied with and that compliance is maintained on an ongoing basis. Where consent is obtained, it must be possible to have any personal data deleted from the relevant AI tool if consent is revoked. Without appropriate anonymisation or redaction measures in place, sensitive data can form part of the AI model’s core dataset which may cause sensitive personal data to resurface in an output at a later date. The GDPR has further specific prohibitions or restrictions on various categories of processing (eg, profiling, special category data, automated decision making, etc) that may be relevant in any particular use case.

An organisation acting as a controller or processor of data used by an AI tool may be liable for a GDPR breach. This can occur if personal data is used to train algorithmic models without having an appropriate legal basis, or where data subjects are not notified of the use (including any future use) of their data in the context of an AI model. The use of AI can also involve automated decision-making which is highly regulated under the GDPR. In addition, as the AI Act will impose fines of up to 6% of global turnover, a measured risk-based approach should be adopted that extends beyond GDPR compliance. A data protection impact assessment (as required under the GDPR) and a fundamental rights impact assessment (as required under the AI Act) should be conducted for the use of AI tools in the health sector where the tool will involve the high-risk processing of personal data.

The AI Act also recognises that AI providers, notified bodies, digital innovation hubs, testing experimentation facilities and researchers should have access to and use of high-quality datasets. The European Commission will establish common data spaces to facilitate data sharing between businesses and government in the public interest to provide trustworthy, accountable and non-discriminatory access to data for the training, validation and testing of AI systems. This includes non-discriminatory access to health data to train artificial intelligence algorithms in a privacy-preserving, secure, timely, transparent and trustworthy manner, and with an appropriate institutional governance.

The AI Act is an EU Regulation which aims to regulate the use of AI systems on the EU market. It is expected to enter into force in June 2024 and will come into force on a phased basis over a period of 36 months. Medical devices and in vitro medical devices that are class IIa or higher under the MDR will be classified as high-risk AI systems. Medical device manufacturers and providers will be required to comply with a number of obligations to ensure the safety and security of AI medical devices. These obligations will exist in addition to those under the Medical Device Regulation and the In Vitro Diagnostics Medical Devices Regulation. Moreover, any organisations that use AI systems in the provision of health or medical services will be required to implement appropriate technical and organisational measures to ensure the safety and security of the system being deployed, particularly where AI tools are used to make decisions in critical or emergency systems such as classifying and evaluating emergency calls.

The AI Act recognises the risk of bias and discriminatory impacts within AI systems. Medical devices classified as high-risk AI tools will be subject to data governance and management practices that are appropriate for the intended purpose of the AI system, particularly where the potential bias is likely to impact the health and safety of individuals. It is only permissible for high-risk AI systems to process special categories of personal data (such as health or medical information) where bias correction and deletion can be ensured.

Companies which develop and sell new digital healthcare technologies must navigate a growing legal and regulatory landscape. These regulations include:

  • the General Data Protection Regulations;
  • Registration Requirements;
  • Liability under Consumer Protection Laws; and
  • Medical Device Regulations.

Established IT Companies are adapting to operating in a regulatory healthcare environment as they introduce digital healthcare technology as part of their technology and service offerings by collaborating with existing healthcare providers. Established IT companies can also leverage their expertise in AI and cloud computing.

To properly support digital technologies, healthcare institutions must have robust IT infrastructure in place to adopt new IT technologies into their existing systems while maintaining a secure network.

Healthcare institutions should establish governance structures for cybersecurity-related matters such as the appointment of a Chief Technology Officer and/or a Chief Information Security Officer to ensure compliance with regulatory obligations including NIS 2 (see 13.2 Data Management and Regulatory Impact for further information). Proactive scanning and testing of networks should be conducted to identify vulnerabilities and security weaknesses as well as a 24/7 security monitoring service. Healthcare institutions should also carry out an IT mapping exercise and conduct tabletop cyber-attack simulations to get a comprehensive understanding of their technology landscapes.

Cloud-based service providers in the digital health space should consider if they fall within the scope of the EU Directive on the Security of Network and Information Systems (NIS1), and NIS2. NIS2 will come into force on 17 October 2024 and imposes enhanced obligations in relation to cybersecurity incidents. The health sector is designated as a sector of high criticality which captures medium and large healthcare providers, laboratories, research and development bodies and manufacturers. NIS2 imposes obligations on management in respect of the organisation’s cybersecurity compliance with onerous penalties imposed for failure to comply. It also sets out detailed risk management measures and requires the notification of incidents that compromise the availability, authenticity, integrity or confidentiality of data or services that has a significant impact on the provision of services.

The Data Act, NIS2 and the GDPR are some of the key regulations focused on building a European Health Data Space which seeks to empower individuals to take control of their health data for the delivery of healthcare across the EU and to provide a consistent, trustworthy, and efficient system for the reuse of health data for research and innovation, policy, and regulatory activities.

Patents

The Patents Act 1992 (as amended) governs the law relating to patents in Ireland.  For an invention to be patentable, it must be novel, susceptible of industrial application and involve an inventive step. Patent applications can be made to the Irish Intellectual Property Office or the European Intellectual Property Office. While software is not by itself patentable in Europe, software based inventions are.

Patents can provide registered protection for up to 20 years. A short-term patent may be obtained without needing to demonstrate the invention’s novelty.

A patent cannot be obtained for, among other things:

  • a discovery, scientific theory or mathematical method;
  • a scheme, rule or method for performing a mental act, or a computer program;
  • the presentation of information; or
  • a method for treatment of the human or animal body by surgery or therapy and a diagnostic method practiced on the human or animal body (excluding a product, substance or composition for use in any such method).

Copyright

The Copyright and Related Rights Act 2000 (as amended) governs the protection and enforcement of copyright in Ireland. 

Copyright subsists automatically upon the creation of literary, artistic and other tangible works (including computer programs and databases), protecting the physical manifestation of the work (as distinct from the underlying idea or principle) once the work in question meets the test of originality. Copyright exists in the software itself (source and object code) along with any accompanying elements such as sound and graphic designs.

In an employment context, the employer will be the owner of any copyright created by an employee in the course of their employment, unless they have agreed otherwise.

The owner of copyright in a work has the exclusive right to prevent or allow others to:

  • copy the work;
  • perform the work;
  • publish or otherwise make available the work; and
  • adapt the work.

Trade Secrets

The protection of trade secrets is governed by the European Union (Protection of Trade Secrets) Regulations 2018 (Trade Secrets Regulations), which transpose Directive EU 2016/943 (the Trade Secrets Directive) into Irish law.  Under this regime, a trade secret is protected if:

  • it is secret, being not generally known among or readily accessible to persons who normally deal with that kind of information;
  • it has commercial value because it is secret; or
  • reasonable steps have been taken to keep it secret.

The Trade Secrets Regulations provide for prohibitive and corrective remedies to prevent and/or obtain redress for the unlawful acquisition, use or disclosure of the trade secret. 

While the Data Act seeks to encourage greater data sharing to foster innovation, it also includes important safeguards to protect intellectual property and trade secrets. Manufacturers and service providers have a veto right to restrict data sharing and accessibility of trade secrets if doing so would lead to serious and irreparable economic loss. 

Inventions and works of authorship created by AI technologies

Intellectual property laws in Ireland are designed to protect human creations rather than those developed by autonomous AI systems with no human input. The Patents Act 1992 envisages that the inventor will be a natural person and requires the inventor or joint inventors to be mentioned on the patent application. The Copyright and Related Rights Act 2000 states that, in the case of computer-generated works where the author is not an individual, the authorship of these works will vest in “the person by whom the arrangements necessary for the creation of the work are undertaken”. This implies that the AI model must be acting on the instructions of a human, rather than the AI system acting autonomously.

In Ireland, companies can obtain corporation tax relief in certain circumstances if they have qualifying assets under the Knowledge Development Box regime. Qualifying assets include computer programs and a patented or patentable inventions.

Obtaining registered intellectual property protection in the form of a patent across relevant jurisdictions is costly and can be protracted. The speed at which digital technologies are developing in the current landscape can often mean that the technology will be obsolete and outdated by the time the application is approved. In relation to patents, once the patent is published, all details of the patent are publicly disclosed even if the application does not proceed to registration. A patent will provide protection for 20 years and cannot be renewed. Once the 20-year period expires, the patent can be freely used by the public.

Copyright has a longer period (being the life of the author plus 70 years) and the protection evolves as the software itself evolves provided it has the requisite standard of originality. There is no copyright register in Ireland or the EU and so the owner can only enforce its rights by demonstrating there has been, in effect, copying by an infringer of its copyright. This means that the rights cannot be enforced against a third party who separately and independently (and without copying a work already protected by copyright) develops the same or a similar software program.

Under the Trade Secret Regulations, again while there is no formality to claiming trade secret protection once it has been protected as a trade secret, the remedies available to the trade secret holder are “negative” rights, which include prohibition of the use of trade secret, prohibition of the production or use of infringing goods, adopting corrective measures and the destruction (or delivery) of all or part of any data embodying the trade secret.

Digital healthcare products provided directly to consumers, such as medical and fitness apps, will be subject to terms and conditions or end-user licensing agreements which grant the user permission to use the software contained in the app. Cloud services are generally subject to a “Software as a Service” or “SaaS” Agreement.

In agreements between commercial entities, the scope of licence is typically defined. The parties should consider the appropriate ownership of the intellectual property including the ownership of any bespoke features or improvements. The strength of warranties should also be considered as to the completeness, accuracy and usefulness of the licensed data, data protection compliance, the ownership of background IP and IP that is bespoke for the individual licensing the software.

Knowledge Transfer Ireland is the national body tasked with facilitating the transfer of academic and state-funded expertise and technology to businesses. They produce model agreements which typically form the basis for the licensing of university-generated IP to spin-out companies or industry investors in return for royalties and for collaborative developments between industry and academia. IP owned or developed by academic institutions may also be assigned provided the transfer is in accordance with State Aid rules.

Private sector technology companies will often enter into negotiated contractual arrangements. In industry funded arrangements, the IP rights will often be assigned to the entity providing financial support for the research and development with a right to use the intellectual property reserved for the university or healthcare institution to continue to use the intellectual property for teaching and research purposes.

Clear research and development agreements should be negotiated prior to the creation of collaborative developments. To address pre-existing intellectual property, the allocation of ownership of developed intellectual property rights and how these rights can be exploited by the parties. In most cases, it will be most appropriate for one of the parties to take ownership of the intellectual property that is jointly developed. Joint ownership of IP can give rise to complex management arrangements.

The liability related to patient care resulting from decisions made using digital health technologies, particularly those based on data analytics and AI, will continue to be governed by the existing legal framework of Product Liability, Contractual Protections and Negligence.

Bias in AI before the injury can be addressed by the owner ensuring there is a diverse data group informing the AI and through regularly auditing AI models for bias.

After an injury takes place the AI owner can address by transparently addressing bias-related incidents and by implementing fairness-aware algorithms to mitigate bias.

Managing liability resulting from third-party vendors’ products or services involves contractual safeguards, due diligence and robust cybersecurity practices to protect healthcare institutions. The principles of negligence may also apply.

Arthur Cox LLP

Ten Earlsfort Terrace
Dublin 2
D02 T380
Ireland

+35 31 920 1298

dublin@arthurcox.com www.arthurcox.com/contact/dublin/
Author Business Card

Law and Practice in Ireland

Authors



Arthur Cox is one of Ireland's leading law firms. It is an “all-island” law firm with offices in Dublin and Belfast. The firm also has offices in London, New York and San Francisco. Its practice encompasses all aspects of corporate and business law providing a comprehensive service to an international client base ranging from established global leaders and multinational organisations to government agencies and statutory bodies, public and private companies, banks and financial institutions to new players in emerging industry sectors.