Contributed By Gilat, Bareket & Co., Reinhold Cohn Group
Digital health products have become an integral part of medicine, whether in the prevention, diagnosis, treatment or management of health and diseases.
From the point of view of the patients/consumers, health apps have improved their ability to track patients’ health and fitness, store or transmit health data, keep track of their test results or doctor appointments and improve their wellness and wellbeing. At the same time, these technologies increase the risk of invasion of privacy and leakage of personal sensitive information.
Healthcare providers (HMOs) use digital health products to improve and enhance the quality of medical services provided. This includes, among others, decision support systems, workload management systems, telehealth services, and early detection technologies. For instance, the Director General of the Ministry of Health (MoH) issued a directive encouraging hospitals and HMOs to increase the use of telehealth to monitor and examine patients in order to minimise physical clinic visits in anticipation of the winter season.
HMOs are also actively engaged in out-licensing access to their highly valuable databases of health data.
From a regulatory standpoint, the primary entities are the MoH and the Authority for the Protection of Privacy, with the Authority for Innovation and others occasionally playing roles.
Combining technological platforms with clinical evidence that measures intervention leads to considerable technological progress. A prime example is the digital surgery platform, VELYS, which employs AI and patient-specific data collection to transform orthopedic surgery. This platform not only changes the way surgeons work, but also improves patient recovery by facilitating the creation of personalised treatment and surgery plans.
There are no regulatory definitions of digital health and digital medicine. There are several circulars of the MoH addressing certain aspects of these activities. The main body of regulation that is not health-specific but that applies to digital healthcare is the Israeli Privacy Protection Authority.
Some of the key technologies enabling new capabilities in digital healthcare and digital medicine are:
The emerging key legal issues in digital health are explored in more detail in other sections of this chapter. Briefly put, they include privacy and data security issues, healthcare regulatory concerns such as anonymisation and preservation of confidentiality of health data, regulatory limitations on data sharing, data portability and the application of contract and commercial law to the evolving industry of data access and licensing.
The key regulatory agency is the MoH, which is responsible for most aspects of the healthcare and pharmaceutical industries. It issues marketing authorisations for pharmaceuticals and for medical devices, including regulation of the requisite clinical trials. It also regulates the activities of the HMOs. Finally, the MoH regulates the practice of medicine by physicians. There is no separate agency that is entrusted with the regulation of digital medicine, digital health and/or medical devices.
The digital transformation of the healthcare industry is unfolding rapidly, but the development of a comprehensive and detailed digital healthcare regulatory scheme is lagging behind. The government published a national digital transformation plan and the MoH followed suit with its own digital health programme. However, primary legislation was not amended. Draft regulations (secondary legislation) relating to health data anonymisation and health data sharing have been published for public consultation but have not yet been published.
As it stands, the main regulatory documents that have been published today are circulars of the general manager of the MoH that concern certain aspects of secondary use and sharing of health data, the use of digital means in the process of obtaining informed consent, the use of cloud computing in the Israeli healthcare system, the criteria for operating telehealth medicine, providing patients accessibility to personal health data (“healthcare in the palm of your hand”), the protection of information in computerised systems in the healthcare system, and the rules of ethics for remote care of Israel Medical Association. The circulars are intended to be binding for HMOs and hospitals, although this is partially disputed by certain HMOs. Their authority over the private sector remains uncertain, yet due to the private sector’s reliance on healthcare institution data, considerable control over conduct is largely maintained.
In early 2023, a draft bill proposing a health data portability law was introduced. The objective of this bill is to provide the necessary regulatory infrastructure to ensure patient health information is available and reviewable when and where it is needed, all the while maintaining patient privacy and information security.
To realise the vision of quality information in the Israeli healthcare system and to facilitate and improve co-operation between the authorities, a medical nomenclature project was recently launched. This project promotes the use of documentation and data coding in the Israeli healthcare system, with the first phase involving the implementation of SNOMED-CT for uniform medical terminology to document medical operations and diagnoses.
At the data protection and privacy level, the Privacy Protection Authority has published various publications covering different aspects of data protection, including a document that delves into the different remote medical services available in Israel, evaluates the privacy risks to patients, outlines relevant legal regulations and guidelines, and provides specific recommendations for the utilisation of health and fitness applications. The regulations were inspired by, and are generally consistent with, the EU General Data Protection Regulation (GDPR).
The main regulatory enforcement activity currently conducted concerns privacy protection enforced by the Privacy Protection Authority. This Authority supervises and enforce not only hospitals and HMOs, but also the Medical Examination Institute and imaging institutes, which naturally hold sensitive medical information. The pressing need for stringent oversight by the Privacy Protection Authority is clearly underscored by two key factors: the extreme sensitivity of health information and the rapid pace at which digital health solutions are being adopted, all set against a backdrop of an underdeveloped and non-systematic healthcare regulatory scheme. For example, the Privacy Protection Authority recently published a supervision report focused on the digital healthcare sector. According to this report, the Privacy Protection Authority engaged with entities providing digital healthcare services, examining them based on three primary criteria:
Most of the entities demonstrated a high level of compliance across all the areas examined, with only about 30% of the entities showing a partially satisfactory level of compliance.
The enforcement actions of a regulatory authority can take place either on an administrative or criminal level. Administrative measures might include imposing fines or recommending the removal of officers from their posts. Before imposing an administrative sanction, the regulatory authority must gather evidence sufficient enough to justify its decision and, in most cases, must allow the institution an opportunity to present its case before a final decision is reached. On the other hand, criminal enforcement involves bringing a case before a competent court and may result in imprisonment, a fine or both.
The Privacy Protection Authority is a non-healthcare regulatory agency responsible for enforcing the privacy and data protection legislative scheme in Israel. All other health-related issues (including wellness, fitness and self-care) are regulated by the MoH.
The Privacy Protection Authority is primarily concerned with issues, including:
The MoH is concerned with almost all aspects of the healthcare and medical industries. These include the health of patients (safety and efficacy of treatments), proper management and financial stability of health institutions, the national health budget, and the rights of patients. As such, the matter of health data usage and sharing falls under the joint jurisdiction of these two authorities. Regarding data anonymisation, the MoH typically assumes the lead role. Interactions between these two entities generally lack transparency.
Government participation is also manifested through the Authority for Innovation, which offers financial support for digital medicine projects across various fields.
There is no significant difference between preventative care and diagnostic care under Israel’s healthcare systems, since both of them are regulated under the same laws and regulations and are provided by the same healthcare providers, namely the HMOs. For example, the definition of “practice of medicine” under the Physicians Ordinance [New Version], 1976, does not differ between specific fields: “means any examination, diagnosis or treatment of, and the giving of any prescription for, sick or injured persons, attendance to women in connection with pregnancy and childbirth, and other services generally performed by a physician”. Accordingly, health maintenance organisations provide a wide range of medical services, including services of preventative care, as well as of diagnostic care.
Social trends such as people becoming more knowledgeable and active about their health during the COVID-19 pandemic, brought about an expansion of digital health. Government initiatives (such as the food labelling reform) have also contributed to health awareness and increased the focus on preventative care. Accordingly, healthcare and non-healthcare organisations began investing in the wellness field. Health maintenance organisations began to implement their services and technologies for healthcare and wellness. For example, Clalit (the largest HMO in Israel) provides its members with the “Active” app, which promotes a healthy lifestyle by recommending various personal goals, such as a daily number of steps, and other physical activity, as well as recommending how much water to drink, and providing data about sleeping patterns, and more.
Clalit also recently announced the launch of an AI platform called CPI (the Clalit protective–preventive intervention platform), which provides doctors with data regarding which patients would benefit from preventive medicine due to certain risk factors.
Israel is a leading country in preventative care. One of the fields in which Israel invests is food technology. For example, in 2020 the Inaugural Global Wellness Summit Prize for Innovation was awarded to Amai Proteins, an Israel-based innovator that developed protein-based products for food and beverages, including a sweet designer protein as a substitute for sugar (“designer sweet proteins”), that significantly reduces added sugar in a wide variety of food and beverages. The awareness of preventative care is constantly rising, leading to the development of new technologies that promote a healthy lifestyle.
Wellness and fitness data are not subject to specific healthcare or privacy regulations, but rather to general regulations that apply to data and digital health, including:
In addition, the General Director (GD) of the MoH published a few circulars referring specifically to digital health, as listed below:
The health data circulars currently prescribe the extent of protection over health data. In general, unless otherwise specified by law or approved by an explicit opt-in, any data for secondary use will be anonymised. Furthermore, any secondary use of health data for research purposes must be pre-approved by the Helsinki Committee.
No law in this field has been developed by courts or judges, but rather by legislative enactment.
To date, no binding regulation applying specifically to preventative healthcare has been enacted in Israel.
The digital healthcare market is dynamic and characterised by ongoing changes, with numerous areas of uncertainty that may differ between countries. Therefore, collaborating with an experienced institution in this field offers clear advantages. It is crucial to carefully consider the regulatory frameworks relevant to both the research and development phase, as well as the commercial marketing and sales phase.
The following have enabled the enhanced use of connected devices in digital healthcare:
At the end of 2021, the Authority for the Protection of Privacy published a document of recommendations concerning the use of wearables for sports and health purposes.
In this regard, Clalit provides its members with the “TytoHome” device that can be used at home, through which doctors can remotely perform a live examination and provide a diagnosis, treatment notes, and any referrals or prescriptions. The TytoHome kit allows for detailed health readings on critical areas of the body, such as the heart, lungs, ears, throat, abdomens and skin, as well as heart rate and body temperature. Another example is the CardioSen’C device of SHL, a portable device that monitors heart activity, and which can communicate the results instantaneously to a cardiologist.
There is no specific legislation on digital health, hence general tort law applies. This includes, primarily, the tort of negligence and the regime of strict (no fault) liability under the Defective Products Liability Law, 5740-1980. Breach of contractual warranties may also come into play.
When using a cloud computing environment, concerns emerge regarding the privacy and security of the uploaded data. If the cloud resides outside of Israel, questions arise regarding the authorisation for transferring such data beyond the country’s borders.
The Privacy Protection Regulations (Transfer of Personal Information to Databases Outside the State Borders) 5761-2001 outline requirements for transferring data abroad. For instance, the recipient party must agree to adhere to the data retention and usage conditions applicable to databases located within Israel (Section 2 (4) of the Regulations). In July 2019, the MoH authorised, for the first time, hospitals and healthcare organisations to use cloud services. Although concerns persist regarding the potential theft of patient medical data and vulnerability to cyber-attacks, there are advantages to leveraging cloud services, such as enhancing digital medical practices and reducing computing expenses. Oracle decided to establish a data centre in Israel, comprising two cloud servers:
The health sector was one of the ten most cyber-attacked sectors in Israel in 2021. Accordingly, in 2022, the MoH published basic principles for the regulation of cyber defences in the healthcare system alongside principles for integrating remote medicine systems into emergency medical centres. Furthermore, the Ministry of Justice and the Authority for the Protection of Privacy published a document concerning the protection of patient privacy in telemedicine services. On May 2023, an annual report of the state auditor on cyber and information systems was published, following a cyber-attack on Hillel Yaffe hospital in Hadera that occurred in mid-October 2021. The Head of the National Cyber Directorate recently mentioned that the strength of cyber-attacks has increased threefold in warfare.
As to the local computing environment, concerns regarding the privacy and security of uploaded data still exists but can be minimised by setting forth and implementing data security standards. The Protection of Privacy Regulations (Data Security) 5777-2017 states that when a contract is established between a database owner and an external entity for service provision, several provisions must be included in the agreement, including:
The health data circulars prescribe the extent of protection over health data. In general, unless otherwise specified by law or approved by an explicit opt-in, any data under secondary use will be anonymised. Furthermore, the circulars set detailed conditions for privacy, medical confidentiality, standards for managing patient records in the health system, and data security.
To date, there are no specific proposed regulations or regulatory guidance in the field of the internet of medical things.
Unfortunately, there is no statutory definition of software as a medical device. The registration of medical devices is entrusted to the medical accessories and devices (MAD) unit of the MoH. It must be noted that there is no legal requirement to obtain marketing approval for medical devices. The MAD unit nonetheless operates because HMOs and hospitals will not purchase non-approved devices. The MAD unit recognised US (510K) and EU (CE) approvals, meaning that holders of such approvals can easily obtain authorisations in Israel as well.
In April 2023, the MOH published guiding principles for the development of AI-based technology in the digital health sector.
To date, telehealth has been more widely used in Israel in some fields. In August 2022, the Authority for the Protection of Privacy published a document of key recommendations on the provision of remote medical services.
Patient–physician consultations through video calls have become popular but primarily after hours (through central service centres). Remote monitoring by means of handheld medical devices carried by patients in their homes has also become popular. This device not only monitors certain indices but also allows the physician to (partially) inspect the patient as if the patient were in the clinic, and to receive medical data obtained by remotely monitoring the patient using sensors. Surgeries have been conducted in hospitals with the participation of foreign experts through video calls. Virtual hospitals have not yet been established.
One of the concerns raised in the context of telemedicine is the digital divide and the concern that certain populations will be discriminated against and not be able to benefit from these new services.
As yet, there are no special regulations for cross-border provision of services and the general rules apply (meaning that non-licensed practitioners cannot provide health services from abroad).
During the COVID-19 pandemic, certain relaxations of the regulatory scheme were made. For example, the guidelines regarding clinical trials were modified and relaxed in several aspects with a view to achieving social distancing during the informed consent process, and during meetings to discuss and approve the conduct of clinical trials. Notably, studies on health data were exempted from certain approvals if the data was anonymised. All such relaxations were cancelled after the pandemic subsided.
Almost all healthcare services are provided by the four major HMOs. The HMOs are funded by the government based on the number of patients they treat. The HMOs are generally not required to provide drugs and medical services not funded by the government. Each year, a special committee approves the introduction of new drugs and new technologies to the “healthcare basket”, thereby requiring the HMOs to provide such solutions.
A host of technological developments have enabled the internet of medical things (IoMT) to develop to its current stage. One could begin with continuous improvements in authentic communications infrastructure (culminating in the recently introduced 5G network technology) that facilitates connectivity and bridges geographical gaps, improvements in computer vision, as well as various imaging techniques, coupled with the miniaturisation of chips and other hardware components, the increased computational power of computers, the development of highly sophisticated sensors (in particular, non-invasive wearable ones), the improvement in energy storage and battery life, and the maturity of machine learning and AI as applied to health data, to name just a few of the driving technologies.
The development of IoMT facilitates a wide scope of functionalities, such as:
However, the growing use of these components and technologies results in increased exposure to cyberthreats, privacy risks through the exploitation of existing vulnerabilities, hostile takeovers and the like.
In order to assist health organisations in addressing these risks, the National Cyber Authority published in late 2020 a guide entitled “IoMT-Based Medical Device Protection Recommendations”, which concerns actions and controls to strengthen IoMT devices, while making recommendations for dedicated controls. The guide builds on classifications published by the Cloud Security Alliance (Managing the Risk for Medical Devices Connected to the Cloud). As it states, it should be remembered that there is no single technology applicable for all types of systems. Therefore, cyberprotection for IoMT components has necessitated requirements for the protection of such components as well as protection from them. Also, a variety of components are provided by a variety of vendors and not everyone comes with the same security settings. These facts make it difficult to create standardisation and uniform component management. This results in a need to protect IoMT components and their environments while combining different controls (policies, technologies, code and hardware).
The introduction of 5G networks is expected to have a major beneficial impact on the healthcare industry. Owing to its high bandwidth, high speed and improved latency and error rate, 5G technology is expected to:
The deployment of 5G networks in Israel is slowly progressing. As part of the activity and enforcement plan of the Authority for the Protection of Privacy in preparation for the deployment of the network, adjustments are also required regarding digital health and telehealth applications.
The key legal issues in using and sharing personal health in research and clinical settings are as follows.
There are no different regulatory frameworks for data use or for data sharing. The distinction made is between primary use, which is use of a person’s health data (including identifiable data) substantially for the purpose of treatment of that particular individual, and secondary use, which is defined as any other use. Primary use does not require the patient’s consent. Secondary use requires either the patient’s informed consent (opt-in) or the use of anonymised data (which, if done properly, means a patient’s consent does not need to be obtained).
In this context, the MoH launched the “World of Data” platform, which allows the public to see a broad picture of the health system and the quality of its medical care.
Alongside this, a national platform was launched for conducting big data research in health data (research infrastructure for huge data). The platform is intended to serve the research community in conducting groundbreaking research in the field of health, by collecting health data from HMOs, but it faces difficulties and considerable barriers with regards to its implementation.
There are cases when the comparison of anonymised data with other data sources can result in re-identification. When access to the other data source requires informed consent (such as genetic data), the patient will typically be requested to provide consent to access their other phenotypic data. Alternatively, the database holder (for example, the HMO) will provide the researcher with unique keys that enable only the HMO but not the external researcher to connect and then analyse data with the identified data of the patient.
Informed consent may be obtained either by traditional means or by digital means. When digital means are used, this must be done in a procedure published by the MoH in October 2020. The general rule is that there must be a face-to-face meeting between the participant in the trial and the researchers. However, such a meeting can be conducted virtually and not necessarily in person. When choosing whether to make use of digital means in the process of obtaining informed consent, one must examine, among other things, the balance between the benefit of using such means and the associated risks, the severity of the medical intervention in the clinical trial, the characteristics of the target population and their level of access to the proposed digital means, the number of participants and their level of access to the place where the trial is conducted.
One declared goal of the procedure is to prevent the exclusion of various populations, particularly in light of the digital divide. Lastly, when asking a patient to opt in to participate in studies and activities that do not have direct benefits for such person, it is preferable to obtain their opt-in consent through a special recruiter instead of the attending physician.
The regulatory scheme mainly addresses the issues of data security, data sharing, secondary use, accessibility to personal health data, ethics and anonymisation. It does not yet regulate the utilisation of AI and machine learning in general or the digital healthcare industry in particular.
Machine learning is particularly useful in the healthcare industry in research fields such as:
One of the challenges for training machine learning algorithms is the need for access to sufficiently large and representative data sets and the need for removing bias underlying past decisions studied by the algorithm. Luckily, the data sets of the two large HMOs in Israel are relatively large. Nevertheless, when a particular research topic requires the pulling of data from different sources, the process is still cumbersome. Another limiting factor is the need to have geographical proximity between the machine learning server and data set.
Natural language processing (NLP) is particularly useful in big data analysis of interactions between a physician or a therapist and their patient. NLP may also be useful in the digitisation of handwritten records.
Research involving genetic data poses substantial privacy risks due to its inherent sensitivity. While in other use cases, such as studying medical conditions, the risk lies in the potential for an attacker to connect the data to a specific individual, genetic data takes this a step further. The genetic data inherently pertains to the individual’s identity, making it a high-risk category for sensitive information misuse.
While challenges and risks persist, the integration of AI in digital healthcare is rapidly advancing. Aidoc, a prominent player in the field of AI-driven digital healthcare based in Israel, specialises in leveraging artificial intelligence for medical imaging. The company’s core focus lies in developing advanced AI algorithms designed to assist radiologists in interpreting medical scans with greater efficiency and accuracy. Aidoc’s proprietary software is adept at analysing a wide range of medical images, including X-rays, CT scans and MRIs.
To date, there are no specific enacted regulations that address the use of AI and machine learning data in healthcare.
However, an Artificial Intelligence and Data Science Committee was appointed in February 2020 by TLM (the Forum for National Infrastructures for Research and Development), with the aim of examining the need for government intervention to accelerate the development of Artificial Intelligence and Data Science.
The committee recommended that future regulation in the field of AI should address the following.
The Ministry of Innovation, Science, and Technology (MIST) launched the national artificial intelligence (AI) programme in July 2022. Subsequently, in October 2022, MIST issued policy principles on regulatory and ethical considerations for AI in Israel. These principles indicated that comprehensive regulation across the entire AI domain was deemed unnecessary at this stage. Instead, they proposed that individual regulators assess the necessity for specific regulations within their respective sectors. Additionally, MIST advocated for a government policy centred on risk management, inter-agency dialogue and co-ordination, and the utilisation of flexible and advanced regulatory approaches, such as voluntary standardisation and self-regulation where applicable.
Companies that develop and sell new digital healthcare technologies must comply with the provisions of the health data circulars, as well as with the provisions of the law and the privacy regulations (if the technology collects personal data).
Agreements with public healthcare companies require that special attention be given to the regulatory environment of the healthcare entity (eg, an HMO).
In general, the lack of stringent digital health enforcement in Israel creates a more accessible landscape for the digital healthcare market.
The IT infrastructure of the HMOs providing care to the majority of the patient population in Israel is well developed to support digital healthcare. The same is true for the main large hospitals. Some of the challenges ahead include:
To date, there are no specific proposed regulations or enacted regulations regarding the implementation of IT upgrades. In general, the manner in which data is managed is not statutorily regulated, except for regulation in connection with the protection of data privacy (Protection of Privacy Law, 5741-1981 and Protection of Privacy Regulations (Data Security) 5777-2017) and the health data circulars aimed at regulating secondary use of health data and big data research.
Patents are generally available for any invention that is a product or a process in any technological field that is novel, non-obvious, useful and capable of industrial application. A noteworthy exception to patentability is the prohibition of patents for a process of medical treatment of humans. This exception, coupled with case law trends concerning patentable subject matter, sometimes creates hurdles in pursuit of patent protection for inventions relating to personalised medicine. The territorial limitation of patents (patents being enforceable only within the territory of the country where they were registered) requires careful drafting of claims of patents relating to ex vivo diagnostics of medical conditions.
Copyright protects software as a literary work, but such protection generally extends only to the way of expression rather than the functionality and technological ideas underlying the code. The latter should be protected by patents where possible. Data sets are generally not protected by copyright and there is no sui generis database protection in Israel.
Trade secret protection is available in Israel and may protect confidential information, including non-patentable inventions and non-copyrightable data sets. However, in order to benefit from such protection, the information must be kept confidential, and the owner of the confidential information must show that they took reasonable efforts to protect the confidentiality of the trade secrets. Reverse engineering, as such, is permissible.
The Patents Registrar decided that an artificial intelligence machine, claimed to have conceived the invention, lacks eligibility as an inventor, and thus cannot bestow patent ownership upon itself (Patents Registrar Decision regarding Patent Applications Nos 268604 and 268605 of Applicant Dr Stephen Thaler (15 March 2023)). The ruling is currently under appeal.
In general, IP rights in the field of healthcare are difficult to enforce, since there is a convention that healthcare should be for the benefit of the public and enforcing rights in this field can be deemed as harming access to health.
Patent protection is governed by the Patents Law, 5727-1967. The law defines a patentable invention as one that is a product or process in any area of technology, which is novel, has inventive step, and has utility and industrial application. However, the law excludes a certain type of invention: a process for human medical treatment. Diagnostic and veterinary methods are not excluded per se.
A discovery, scientific theory, mathematical formula, game rules and computer software, are not patentable per se, due to case-law precedents. In general, if the invention involves a technological solution to a technological problem, it is patentable, whether the solution is in the software, or not. There is no specific legislation applicable to digital health inventions and every application is examined on its merits.
There are some difficulties in protecting software and algorithms, since, on the one hand, patentability issues may arise, and, on the other hand it is difficult to enforce such rights from the evidentiary aspect (to prove that the competitor copied the code).
Copyright protection is governed by the Copyright Law, 5768-2007. Copyright law protection may be particularly relevant to software and certain compilations of data, but there is no protection of databases per se.
As of 2018, icons, graphical user interfaces and screen presentations are not protected by copyright, but rather by the Designs Law, 5777-2017. Non-registered designs are protected for three years and registered designs are protected for up to 25 years.
Trade-secret protection is governed by the Commercial Torts Law, 5759-1999. A trade secret is defined as “business information, of all kinds, which is not in the public domain and is not easily disclosed by others lawfully, and the confidentiality of which affords its owners a business advantage over their competitors, provided that its owners take reasonable steps in protecting its confidentiality”.
The law prohibits misappropriation of a trade secret which is defined as:
(i) taking a trade secret without the owner’s consent by improper means, or the use of the secret by the acquirer;
(ii) use of a trade secret without the consent of its owner where the use is contrary to a contractual obligation or a duty of trust the user has to the trade-secret owner; and
(iii) acquiring a trade secret or using it without the consent of its owners, where it is clear that the trade secret has been unlawfully obtained according to (i) or (ii).
It should be noted that disclosure of a trade secret through reverse engineering will not, in itself, be regarded as improper. Health data is a classic example of a trade secret but the requirement of keeping it “not easily disclosed by others” can be difficult while using AI technologies.
The health data circulars set forth the provisions to be included in collaboration agreements based on secondary uses of health data (such as the purpose of using the data or maintaining the confidentiality of the data). In general, the main contractual issues that need to be taken into account are:
In general, HMOs request monetary considerations and rights to use the products, based on use of the data they grant access to. The issue of royalty-stacking may arise, leading to a burden of royalties to be paid by start-ups.
Employers, including universities and healthcare institutions, will generally be the owners of IP rights generated by their employees in connection with their employment. This is both in terms of the default rule under the Patents Law and the Copyright Law, as well as the standard practices of such organisations, which often expand beyond the statutory provisions by means of employment contracts and intellectual property by-laws. All academic institutions share the revenues collected by the commercialisation of such intellectual property with the researchers. HMOs differ in their approaches and practices. The allocation of IP rights when private sector technology companies are involved in developing the device or medical innovation is typically governed by contract. Special provisions apply to governmental hospitals, which are more limited in their ability to contract with the private sector.
The default rule is that any person who made an inventive contribution to the inventive concept of the invention is an inventor and is the owner of the invention. When there are several co-inventors, they will be co-owners (unless they are in the employ of a third party, in which case the employer will own a share of the invention). All of these default rules may be superseded by contract.
It is standard practice to distinguish between background IP and foreground IP, with ownership of the background IP remaining with the original owner, who may grant limited licences to use the background IP in order to exploit the foreground IP, and the foreground IP being owned as agreed by the parties. Because of regulatory constraints and other considerations, many HMOs will waive co-ownership in exchange for various monetary rights, such as royalties, milestone payments, exit phase, cross-licence or the right to use the resulting foreground IP.
The first theory of liability arising from decisions based on digital health technologies such as data analytics, AI, machine learning and software as a medical device is, of course, the tort of negligence. In general, the three main elements of this tort are the existence of a duty of care, deviation from a reasonable standard of practice, and a causal connection between the defendant’s act or omission and the damage suffered by the plaintiff. The manufacturer of a medical device will generally be held to owe a duty of care towards users of the device. Adherence to acceptable standards should mitigate the risk of liability. Otherwise, the manufacturer will have to show that it took reasonable efforts to prevent the damage, with the foreseeability of the damage and the level of efforts required being directly related, namely, the more foreseeable the damage is, the higher the level of efforts required.
It is hard to see how a decision to use an approved medical device can be deemed negligent. However, a decision to use a medical device in development could theoretically attract liability and the putative defendant would have to show that they took reasonable measures to verify that the device’s algorithm would not cause harm or produce misleading results. As is the case with other industries, the courts will have to acquaint themselves with the developing best practices that aim to deal with the problem of lack of transparency of machine learning algorithms.
If a medical device inflicted physical damage on a patient, the manufacturer of the device may be held liable under the Defective Product Liability Law, 5740-1980, which imposes a strict liability (no fault) on the manufacturer.
Theories of liability when third-party vendors’ products or services cause harm to healthcare institutions are generally the same as those discussed in 15.1 Patient Care. The main difference, however, is the ability of the healthcare institution to protect itself through contract by obtaining proper warranties and indemnification obligations. In addition, health institutions may forfeit at least part of the right for compensation if they are shown to have breached their obligation to mitigate damage. Thus, some institutions already proactively monitor their internet-connected equipment to detect vulnerabilities and prevent cyber-attacks.
26A Habarzel St
Tel Aviv 6971037
Israel
+972 3 567 2000
+972 3 567 2030
info@gilatadv.co.il www.rcip.co.il/en/