Contributed By Kieszkowska Rutkowska Kolasiński
Polish regulatory provisions do not provide for a legal definition of the terms “digital health” and “digital medicine”. The distinction between these concepts is, therefore, a matter of practice and technical distinctions in many detailed regulations.
As a rule, it can be said that digital health is the broader concept, covering:
By contrast, digital medicine would be understood as a narrower concept, that is, the use of the aforementioned technologies and concepts for the provision of healthcare to individual patients.
The clearest distinction between the two can be seen in regulatory requirements - eg, digital health technologies do not meet the regulatory definition of a medical device (see 5.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technology). However, digital health products or technologies, when used by healthcare service-providers to provide healthcare services or process patient medical files, will be subject to regulatory requirements that are applicable to healthcare service-providers (see in particular 3.2 Recent Regulatory Developments, 3.3 Regulatory Enforcement and 6. Telehealth).
Polish law does not provide for a legal definition of "digital health" and "digital medicine" or "telehealth" or "telemedicine", but recognises a general possibility for providing healthcare services via IT or telecommunication systems.
Medical Activities and Healthcare Services
The Act on Medical Activity provides that medical activity may be conducted through IT and communication systems. Medical activity is defined as providing healthcare services (activities intended to preserve, save, restore or improve health and other medical activities arising from the treatment process), promoting health, conducting teaching and research in connection with the provision of healthcare services and promoting health, or implementing new medical technologies and methods of treatment.
Polish law defines “tele-consultations”, which is a primary healthcare service provided remotely using IT systems or communication systems. Primary healthcare is a category of guaranteed, ie, publicly financed, healthcare services provided by a doctor, nurse or midwife, such as basic health advice and diagnostics, consultations by general practitioners, etc.
The rise and proliferation of digital healthcare and digital medicine solutions is fuelled by a confluence of a number of trends and technologies. The increase in computing power and storage capacity, and the availability of cloud storage and cloud-computing solutions, make storing and analysing large volumes of medical data – both for digital medicine and healthcare purposes – more feasible.
The digitisation of medical devices and use of wearables (eg, smart watches) result in availability of growing volumes of high-quality digital medical data.
The growing use of smartphones, access to computers and high speed and bandwidth internet and mobile internet means that people can take advantage of telemedicine services.
The development of artificial intelligence/machine learning (AI/ML) solutions builds on all of these trends.
As all the new technologies and solutions in digital health either require or aim at providing large volumes of high-quality medical data, one of the most important issues is how such data can be used, by whom and for what purposes. The rules on the use of medical data (either personal, pseudonymised or anonymised) for research and development by both public sector and private business need to be updated in order to allow any such development.
This raises the technical but important issue of establishing laws or guidelines on how medical data should be pseudonymised or anonymised in order to minimise the risk of re-identification – an issue which necessarily entails some hard choices between the quality and completeness of available data and patient privacy.
This last factor raises the need for establishing rules of handling non-personal medical data (which are not protected under the General Data Protection Regulation (GDPR)) and transparency and accountability obligations connected with that use.
Work on the development of telehealth in Poland began even before the COVID-19 pandemic. The Polish legislator successively introduced new solutions enabling the provision of healthcare services in the telemedicine model.
However, the COVID-19 epidemic resulted in a significant increase in the number of health services provided in the form of telemedicine - especially in the field of primary health care. A rising number of new healthcare entities on the market provide outpatient health services (eg, outpatient clinics, non-hospital health centres) exclusively in the telemedicine model.
Health Problems Arising from Climate Change
The primary consequence of climate change in Poland is the increased intensity of extreme weather phenomena (heatwaves, droughts, downpours). Furthermore, Poland faces a serious problem of air pollution. This poses a particular threat to the health of immuno-compromised patients and patients suffering from respiratory and cardiovascular diseases.
The Government’s Perspective
The problems arising from climate change, albeit noticed in the government’s strategies, have so far not been seriously reflected in actions taken by the Polish authorities. The National Health Programme for 2021–2025 specifies “Environmental health and infectious diseases” as one of its five key objectives. However, apart from general educational activities and supporting scientific research, the strategy does not present any real solutions to the problems that arise from environmental changes.
Advantages of Digital Healthcare
Digital healthcare offers the possibility of caring for larger groups of patients than in the case of inpatient medicine. Telemedicine and applications for monitoring patients or environmental factors can be beneficial for patients who should not leave home, eg, on days when conditions (air pollution, heatwaves) are unfavourable.
The key regulatory agencies operating in the area of healthcare include the following.
The Minister of Health (MoH)
The regulatory powers of the MOH include the following.
The MoH decides whether a given medicinal product or medical device will be reimbursed. Risk-sharing schemes concluded in connection with reimbursement decisions may cover additional obligations, eg, the obligation to make software (eg, a mobile application) dedicated to a given reimbursed product available to patients, or the obligation to aggregate specific data related to efficacy and safety of treatment (see 14.1 Hot Topics That May Impact Digital Healthcare in the Future).
Public financing of healthcare services
The MoH decides whether to finance health services (specific medical procedures) with public funding. New technologies within the framework of digital healthcare and digital medicine, such as, eg, medical devices supporting diagnostic and therapeutic decisions, operating on the basis of AI/ML algorithms, can be publicly financed as elements of specific medical procedures.
The MoH can audit healthcare service-providers (HSPs), including HSPs providing telemedical services (see 3.3 Regulatory Enforcement).
Creation of databases
The MoH can create public registers containing medical data on specific diseases, disorders or disabilities (see also 3.2 Recent Regulatory Developments).
The President of the Office for the Registration of Medicinal Products, Medical Devices and Biocidal Products (RO President)
The regulatory powers of the RO President include the following.
Supervision of medical devices
Medical devices include medical device software (SAMD), as well as devices operating on the basis of AI/ML algorithms – manufactured, placed onto the market, put into use or subject to performance evaluation in Poland.
Authorising clinical investigations and clinical trials
The RO President authorises clinical trials (in the case of medicinal products) and clinical investigations (in the case of medical devices) carried out in Poland and also has competence in the area of pharmacovigilance.
The prerogatives of the RO President are currently undergoing significant changes because of the start of application of the Medical Devices Regulation (MDR) from 26 May 2021, which has largely replaced the previous provisions of the Polish Act on Medical Devices. The new Polish Act on Medical Devices, which is intended to regulate issues not regulated in the MDR, in particular how the powers of the RO President are exercised, has not yet been enacted (see 3.3 Regulatory Enforcement and 5.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technology).
The President of the National Health Fund (NHF)
The NHF is primarily responsible for the public financing of health services.
The President of the Agency for Health Technology Assessment and Tariff System (AOTMiT)
The AOTMiT is the Polish HTA agency. The task of the AOTMiT is to provide substantive support to the MoH in making decisions on pricing and public financing of healthcare services, including digital health and digital medicine services.
A gradual digital transformation of the healthcare sector in Poland in recent years has become apparent.
One of the main directions of regulatory changes is the gradual development of public IT systems and healthcare databases. The development of the “P1 Platform”, namely the Electronic Platform for Collecting, Analysing and Sharing Digital Resources on Medical Events, is one of the key projects.
The P1 Platform currently includes a number of independent systems and databases that provide various functionalities to patients, healthcare-providers and public authorities, which are related to the planning, provision and management of healthcare services. Among the systems and functionalities currently operating within the P1 Platform are the following.
Apart from these "horizontal" systems, the Minister of Health has established over a dozen registers containing medical data on specific diseases, disorders or disabilities (eg, the register of vascular operations, the National Cancer Registry, and others).
Another important regulatory trend is the gradual shift from paper to electronic medical records. From 1 January 2021, as a general rule, medical records should be kept in electronic form. It is only possible to keep medical records in paper form in exceptional situations, and certain categories of documents, such as prescriptions, laboratory test results, must absolutely be kept in electronic form.
The aforementioned regulatory trends unite into a trend of gradually integrating electronic medical records with the MIS. Ultimately, all medical patient data in medical records kept by an individual HSP is to be made available to other HSPs in the MIS.
An important direction of change currently being discussed is the assurance of greater availability of medical data to non-public entities for purposes of scientific research and development work (clinical trials and investigations, development of AI/ML, building solutions in telemedicine and e-health). The need to ensure greater data availability – also for private entrepreneurs – is indicated by both EU and national documents. For example, the Policy for the Development of Artificial Intelligence in Poland from 2020, adopted by the Polish Council of Ministers, indicates that the public sector will pursue:
The conclusions of the European Commission’s Assessment of the EU Member States rules on health data in the light of the GDPR, and the draft European Data Governance Act published in November 2020, are heading in the same direction. Meanwhile, in the fourth quarter of 2021, the EU is expected to publish a proposal for the European health data space, which could be of importance in making health data more accessible to stakeholders of all kinds.
Each agency identified in 3.1 Healthcare Regulatory Agencies has its own supervisory powers and has the ability to impose sanctions. These may be both administrative sanctions (eg, withdrawal of the licence/authorisation) and, in some cases, financial sanctions. Proceedings are based on the Polish administrative procedure, while final decisions issued by agencies are subject to judicial review.
MoH’s Supervision of Healthcare Service-Providers
The MoH is responsible for supervising whether HSPs are in compliance with the law (also when providing telemedicine services). HSPs that provide only telemedicine services are not subject to some of the obligations that are incumbent on HSPs providing traditional health services (eg, premises requirements), but they still have to fulfil a number of other obligations (eg, related to medical records, MIS integration, etc). The MoH can:
After an audit, the MoH prepares an audit report, in which it can present audit recommendations, ordering identified irregularities to be corrected. Failure to comply with recommendations can result in the HSP being removed from the HSP register (the performance of medical activity without registration is an offence and is punishable by arrest, a restriction of freedom or a fine).
Supervision of the Medical Devices Market by the RO President
The RO President supervises devices that are manufactured, placed onto the market, put into use or subject to performance evaluation in Poland. This also applies to software as a medical device, and devices operating on the basis of AI/ML algorithms.
The powers of the RO President regarding the supervision of medical devices are currently undergoing significant changes because of the start of the application of the Medical Devices Regulation (see 5.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technology). Therefore, the following are the most important powers of the RO President arising from the MDR.
The RO President may request that manufacturers of medical devices provide all the information and documentation necessary to demonstrate conformity of the medical device. Manufacturers are obliged to co-operate with the RO President on any corrective action taken to eliminate or, if that is not possible, to mitigate the risks posed by devices which they have placed on the market or put into service.
If the manufacturer fails to co-operate or the information and documentation provided is incomplete or incorrect, the RO President may take all appropriate measures to prohibit or restrict the device from being made available on the market, to withdraw the device from that market or to recall it.
The RO President may conduct inspections of economic operators (manufacturers, importers, distributors, sub-contractors operating in Poland, etc). These audits can apply all activities conducted during the product life cycle, including design, manufacturing, storage, distribution, assembly, placement on the market.
The RO President may also audit the device, its documentation and the conditions of its use by professional users (HSPs) at the place of that use.
If necessary, the inspections may be unannounced.
If the RO President finds that a device presents an unacceptable risk to the health or safety of patients, users or to public health, it can require the manufacturer and all other relevant economic operators to take all appropriate corrective action to bring the device into compliance and to restrict the availability of the device on the market, to subject the availability of the device to specific requirements, to withdraw the device from the market, or to recall it.
The RO President also monitors investigations of serious incidents regarding medical devices conducted by manufacturers. Where necessary, the RO President may intervene in a manufacturer’s investigation or initiate independent investigations.
Pursuant to the draft of the Act on Medical Devices, the RO President will be authorised to impose administrative fines for non-compliance with MDR or the Polish Medical Devices Act.
One of the key regulatory aspects of digital healthcare and medicine activities is compliance with personal data protection law. Digital healthcare and medicine are inextricably linked with the increase in the volume of data – both in terms of the number of people whose data is processed and the amount and categories of data used. Secondly, medical data can be accessed not only by HSPs but also by technology providers – IT (including Software as a Medical Device (SAMD)) service-providers, suppliers of physical medical devices which are integrated with additional services supporting diagnostics and therapy (diagnostic imaging devices that record, store and transmit Computerised Tomography (CT) scans, magnetic resonance imaging (MRI), Positron Emission Tomography (PET) images, and which can be offered in combination with remote diagnostic services), etc. All of this makes it particularly important to comply with data privacy obligations.
The authority supervising compliance with data protection law is the President of the Personal Data Protection Office (PPDPO).
The PPDPO has oversight over all personal data processing conducted by any entities operating in the area of digital healthcare. The PPDPO does not supervise the implementation of all regulatory obligations resulting from sector-specific regulations in the area of digital healthcare. The PPDPO supervises the implementation of these obligations to the extent that these sectoral regulations impose obligations related to the processing of personal data, eg, the obligation to implement specific security measures, or the obligation to share this data with other entities only under certain conditions.
The PPDPO’s supervision covers such issues as the following.
Regulation (EU) 2017/745 on medical devices (MDR) became directly applicable in all EU Member States on 26 May 2021. This act forms the basis of a comprehensive EU reform of the medical device law. The MDR replaced most of the provisions of Polish law on medical devices. Some issues related to medical devices under the MDR have been left to be clarified at the level of national legislation. Work is still in progress on the new Polish Act on Medical Devices, which is to replace the existing Act of 20 May 2010.
Software as a Medical Device
The regulatory definition of medical devices enshrined in MDR includes SAMD. Pursuant to Article 2(1) of the MDR, "medical device" means, among others, software, intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the following specific medical purposes:
and which does not achieve its principal intended action by pharmacological, immunological or metabolic means, in or on the human body, but which may be assisted in its function by those means.
When deciding whether software will be a medical device, the guidance provided by the European Commission in MEDDEV documents and the guidance provided by the Medical Device Co-ordination Group (MDCG) plays an important role.
According to that guidance, software which fulfils the definition of a medical device, performs operations on data, and is intended for the benefit of an individual patient to support or influence the medical care provided to that patient, but its performance of operations on data is limited to storing, archiving, transmitting or simple searching, will not be a medical device.
Devices that operate on the basis of AI/ML algorithms are not more likely to meet the above definition solely by virtue of this fact. Rather, the deciding factor will be whether both the purpose and the function of the AI/ML system satisfy the above-mentioned criteria.
For example, Optical Character Recognition (OCR) software using AI/ML algorithms to digitise patient medical records or the healthcare professional’s notes will not be a medical device. Similarly, image management systems (IMS) that use AI/ML algorithms to extract information from patient files, not for the benefit of individual patients, but for public health purposes or for scientific research, will not be a medical device.
However, an IMS that incorporates AI/ML algorithms that support post-processing of images to assist diagnosis, will be a medical device.
The MDR brought important changes to SAMD classification rules. According to the previous classification rules, SAMD in most cases belonged to class I, and in certain cases – to class IIa or IIb. SAMD was not classified in class III.
Under the new classification rules, the default class for SAMD is class IIa, unless the software is intended to be used to take decisions involving an increased risk for the patient (eg, death, serious deterioration of health, need for surgical intervention). If that is the case, the product will belong to class IIb or III.
As soon as software is no longer classified as class I, manufacturers must:
Importantly, on a literal reading, the new classification rules have been formulated in a way that does not allow for the probability of a negative effect when making an assessment – only the severity (eg, "might lead to death") or duration ("irreversible") of potential negative outcomes are taken into account. The MDCG and IMDRF guidelines try to solve this problem, to some extent.
Seeing the opportunities arising from the development of technology and taking into account the lack of human resources among healthcare professionals (HCPs), the Polish legislator has been successively introducing solutions enabling the use of telemedicine solutions.
Since 2015, the development of telemedicine can be noticed primarily in the area of tele-consultations – especially by primary care doctors. After conducting the tele-consultations, doctors can also issue prescriptions which are currently issued only in electronic form.
Telemedicine solutions are also popular in image diagnostics, and within it – tele-radiology, involving the remote provision of description or consultations of radiological images services, provided to an HSP by an external vendor.
The Market Practice
Telemedicine understood in this way is an optional model of operation on the medical services market, which complements and, in some areas, almost supersedes the traditional, stationary scheme of operation. There are HSPs which provide outpatient healthcare services (eg, outpatient clinics, non-hospital health centres) exclusively as tele-consultations. In principle, HSPs operating “telemedical” clinics (ie, providing services only remotely), must satisfy the same regulatory requirements as physical establishments, but do not need to satisfy the requirements as to the types of premises and equipment that they have (which is highly convenient in practice).
The Minister of Health may specify the detailed requirements to be satisfied by the premises, equipment, and IT systems of an HSP providing exclusively outpatient health services in the form of telemedicine. However, no such regulation has been issued to date.
Popularising and Facilitating Tele-consultations
The appearance of the COVID-19 epidemic has had a significant impact on the development of telemedicine. The increasing number of people staying at home directly translated into an increase in demand for tele-consultation, tele-care and tele-diagnostic services.
Response to this growth involved taking advantage of the already available general legal solutions enabling health services to be provided remotely (see 1.5 Impact of COVID-19) while, at the same time, relieving doctors providing tele-consultations in connection with combating COVID-19 from certain obligations, eg, regarding the keeping of medical records.
Changes were also introduced to enable the provision of tele-medicine in sensitive areas, such as guaranteed healthcare services in psychiatric care and treatment of addictions, nursing and care services in long-term care or palliative and hospice care.
The rules on checking patient identity and verifying rights to publicly financed healthcare services have also been relaxed for the duration of the COVID-19 epidemic – enabling verification through ICT or communication systems, including through instant messaging (such as via Zoom and Microsoft Teams, etc).
Additional Requirements for Tele-consultations
In some situations, publicly financed services can only be provided in direct contact with the patient. Examples of such situations are:
These restrictions do not apply to privately funded services.
Public Financing of Telemedicine
In order for a medical facility to provide publicly financed telemedicine health services, the following is required.
Firstly, this method of providing services must be permitted by the NHF (eg, primary healthcare tele-consultations).
Secondly, an HSP needs to conclude a contract with the NHF for the provision of specific services (eg, primary healthcare tele-consultations).
Thirdly, the HSP must provide telemedicine services in accordance with current medical knowledge and in compliance with the law and the NHF contract (see 3.2 Recent Regulatory Developments and 6.2 Regulatory Environment), and then submit those properly performed services for settlement to the NHF.
Commercial Financing of Telemedicine
Health services using telemedicine are also becoming increasingly common in the private sector. In such a case, the price is not subject to specific regulations and, for instance, private insurers set their own financing rules.
The proliferation of IoT is fuelled by the confluence of trends and technologies discussed in 1.4 Emerging Legal Issues, 8. 5G Networks, 10. AI and Machine Learning and11.2 Cloud Computing. Because the very aim of IoT solutions is to acquire more data on patients and users, one of the most important regulatory contexts for IoT is data privacy and access to data (discussed in 4.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies and 9.1 The Legal Relationship between Digital Healthcare and Personal Health Information).
Because some IoT products will fall into the medical devices category (eg, wearable defibrillators, wearable Holter monitors (a type of portable electrocardiogram - ECG)), the MDR provides a regulatory framework which is also central to IoT in healthcare (see 5.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technology).
Depending on the business set-up, companies supplying IoT solutions may also be considered HSPs – and need to satisfy specific requirements connected with the provision of healthcare services.
But even if an IoT product (including software used in connection with an IoT product) is not a medical device (or an accessory to a device) in itself, but is designed to work with a medical device, it may still require to be assessed with regard to the safety of its performance.
If a medical device is intended for use in combination with modules/products (including software), the whole combination, including the interfaces between those parts, must be safe and must not impair the specified performances of the modules which are subject to the medical-device regulations. Important guidance on this topic is provided in MDCG Guidance on Qualification and Classification of Software in MDR and IVDR, and the European Commission’s Manual on borderline and classification in the community regulatory framework for medical devices.
Cybersecurity is another important requirement. For IoT solutions which are medical devices, cybersecurity should be taken into account as part of their conformity assessment process. However, even devices which are not medical devices need to provide adequate levels of data security (because of GDPR requirements or defective product liability requirements). In both cases, MDCG Guidance on Cybersecurity for medical devices provides important information on how to fulfil these requirements.
In the case of both medical device and non-medical device IoT solutions, cybersecurity obligations do not stop at the moment of placing them on the market. During the support lifetime of the IoT product, the manufacturer should put in place a process to gather post-market information, evaluate the information thus gathered, the associated security and safety risk and take appropriate measures that control the risk associated with such vulnerabilities (eg, software updates).
Thanks to the unprecedented speed and bandwidth of 5G, many people have a chance to take advantage of telehealth services. Medical treatment in disaster areas and by first responders will also benefit, due to faster and more effective assistance (eg, thanks to real-time support obtained remotely by the rescuers, more accurate data on injured persons' position or condition, fastest evacuation routes, etc). It also offers an opportunity to popularise remote diagnosis, the use of wearable medical devices and remote, robotic procedures (including surgery).
Moreover, the mobile IoT devices equipped with various sensors and apps prepared by the experts may become tools for reliable and universal self-diagnosis.
Benefits of the 5G network depend on the quality of services rendered by telecom providers. These, in turn, rely on the infrastructure they have at their disposal (and which is still developing). Therefore, when making arrangements with suppliers, healthcare institutions should, in particular, find out if and where the 5G network is available. It should also be determined which devices can use 5G (and therefore whether the institution may offer its services to all customers/patients). Arrangements with telecoms-providers should also determine levels of guaranteed services' availability or time limits for defect removal.
Sharing and Use of Data for Patient Treatment
Access to, the use and sharing of medical data which is personal data, individual medical data which is not personal data, and non-individual (aggregated) medical data for patient treatment is generally permitted only under specific conditions. As a general rule, medical records can be shared between HSPs, and HSPs can access medical data (both personal data and non-personal data) contained in public registries and systems (although patient consent is required in certain cases).
The GDPR applies to the processing of patient personal data (including medical data) for the purposes of providing healthcare services, so HSPs have to discharge their duties as data controllers under GDPR (see 4.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies). Patient consent for processing for purposes of providing healthcare, and for uploading patient data from his or her medical records to public registries and systems, is not required (different legal grounds can be relied on).
Private business may have access to and process patient medical data if it is necessary in the context of providing healthcare services – eg, hospital information system (HIS) software-providers as part of helpdesk and update services, companies leasing imaging equipment, together with software used to process personal data (such as CTs, PETs, MRI scanner sets which also archive, manage and process image files), IT security companies, cloud storage or cloud computing companies. Typically, in such cases these third-party vendors will operate as data processors of HSPs.
Access to and use of patient medical data by private business for purposes other than providing healthcare services is currently limited.
Sharing and Use of Data for Research and Development
Complicated legal landscape
Access to, the use and sharing of medical data which is personal data, individual medical data which is not personal data, and non-individual (aggregated) medical data for research and development purposes is regulated in a number of different regulations and in divergent ways, depending on where the data originates from.
There are separate rules concerning access to patient’s medical files, access to medical data in systems operating on the P1 Platform – MIS, e-Prescription, Online Patient’s Account (see 3.2 Recent Regulatory Developments), in public registers created by the Minister of Health (see 3.1 Healthcare Regulatory Agencies), in the SMPT register run by the National Health Fund (see 3.1 Healthcare Regulatory Agencies), or other public registers.
Access to medical files
As a general rule, access to a patient’s medical files for purposes other than patient treatment (eg, research and development purposes) by private business requires patient consent. Even after a patient’s death, access requires the consent of a person who was authorised to access the files by the patient during his or her lifetime, or the patient’s legal representative. Consent is not required in the case of higher education institutions and research institutes – if these use the data only for scientific purposes.
This, connected with the issues mentioned in 11.1 IT Upgrades for Digital Healthcare, causes data contained in medical files to be hard to access by private business – even in anonymised form.
Access to data in public registers
Different public registers and systems have rules of access and use of data that are divergent not only from the rules applicable to medical records, but between each type of register or system.
As a general rule, access to data (both personal data and individual medical data) is limited to HSPs and public institutions. Access to data by private business is either subject to the patient's or his or her legal representative’s consent (MIS) or not regulated at all (SMPT).
Data from public registers created by the MoH may be made available for scientific research in anonymised form. The data may also be used by public authorities, including the National Health Fund - to monitor the demand for healthcare services and their quality and cost-effectiveness.
Access to data from public registers based on laws on accessibility of public information or re-use of public sector information is possible, but difficult in practice – partly because of an imprecise definition of public information, partly because of a lack of awareness of how these mechanism should operate on the part of the public sector.
Use of data obtained from public registers
The purposes for which medical data obtained from public registers and systems may be used are also not regulated in a consistent and uniform manner. In some cases, the permitted use is regulated very narrowly – eg, data obtained from the e-Prescription system (see 3.2 Recent Regulatory Developments) can only be used for the purposes of delivering information about the e-prescription to the patient, and cannot be aggregated with any other data.
The use of medical personal data for research and development (including development of AI/ML systems) falls under the GDPR. Consequently, entities which have obtained any such data have to discharge their duties under the GDPR (see 4.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies).
There are currently no specific laws which would regulate the processing of medical personal data for research and development by private business. Consequently, private business does not benefit from any exclusions or exceptions to the general rules of the GDPR (for more details see 10.1 The Utilisation of AI and Machine Learning in Digital Healthcare).
Use of AI/ML in Healthcare
AI/ML systems are becoming present in healthcare – both in supporting diagnosis (eg, to recognise stroke in computed tomography examinations), treatment, helping with keeping digitised records (OCR and Natural Language Processing (NLP) software) and healthcare systems administration (eg, an AI/ML tool for prediction of blood component demand). A growing number of AI/ML algorithms are being tested and developed - out of 115 start-ups that participated in the “Top Disruptors in Healthcare 2021” survey, 55% indicated telemedicine and 45% indicated AI/ML as one of their areas of activity.
The use of AI/ML for the purposes of patient treatment is admissible and not subject to any stricter regulatory regimes than the general rules regarding healthcare services (see 3.1 Healthcare Regulatory Agencies and 3.3 Regulatory Enforcement) and consequently the processing of personal data by AI/ML systems for such purposes is also admissible – subject to general GDPR rules (see 4.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies and 9.1 The Legal Relationship between Digital Healthcare and Personal Health Information), although the performance of some of these obligations may raise some practical issues – such as how to satisfy the transparency obligations. The majority of AI/ML systems used for the benefit of individual patients will fall under the definition of a medical device (see 5.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technology).
The Use of Personal Data for the Development of AI/ML
The use of medical personal data for research and development, in particular for development of AI/ML systems, falls under the GDPR, but currently there are no dedicated laws which would regulate the processing of medical personal data for such purposes by private business. Consequently, private business does not benefit from any exclusions or exceptions to the general rules of GDPR. This raises questions as to how some GDPR obligations should be performed.
For example, there are no national guidelines or interpretations of the PPDPO on how precisely the specific processing purposes should be defined when informing data subjects – eg, whether a broad information that data will be used to develop, train and validate AI/ML algorithms that will be used in healthcare will be specific enough. Companies have to rely on the rules laid down in the GDPR (eg, point 33 of the preamble) and the upcoming guidelines of the European Data Protection Board on the processing of personal data for scientific research purposes.
AI/ML algorithms may find correlations between the data that lead to additional information about data subjects being established or change the outcome of previously conducted data protection impact assessments. Depending on the circumstances, this may require the sending of additional information to data subjects, and, currently, there are no national regulations or mechanisms which would help companies perform such obligations.
Finally, both as a result of combining different data sets and of AI/ML algorithms finding correlations between the data that lead to additional information about data subjects being established, data that was anonymous data may be re-identified.
Currently, there are no laws or guidelines on how medical data should be anonymised in order to minimise the risk of re-identification - an issue which necessarily entails some hard choices between the quality completeness of available data and patient privacy, especially because the growing volume and quality of data will mean that the line between data which enables re-identification and that which does not will be shifting.
In April 2021, the European Commission published its Proposal for a Regulation laying down harmonised rules on artificial intelligence. The proposal presents the legal framework for AI/ML systems - including essential aspects such as regulatory obligations for providers of AI/ML systems, AI post-market surveillance, and conformity assessment of high-risk AI. High-risk AIs will have to meet additional regulatory requirements throughout their life cycle. Depending on the circumstances, a significant number of AI/ML systems used in healthcare could be considered high-risk, taking into account the changes brought by the MDR classification framework (see 5.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technology).
From 1 January 2021, all HSPs are required to keep medical records in electronic form. In practice, however, many HSPs are not prepared to fulfil this obligation, and the IT infrastructure of many institutions is either poor or outdated (all the data mentioned below is current as of December 2019).
However, saturation with IT infrastructure looks adequate – 95.97% of HSPs report that either all (56.89%) or the vast majority (29.55%) of rooms where medical files are being used have access to an IT network. Similarly, 90.29% of HSPs report that either all (65.58%) or the vast majority (24.71%) of their medical staff have access to a computer. 82% of hospitals and 64% of outpatient clinics (including primary care clinics) report that they have the IT infrastructure that is necessary for storing patient medical files in electronic form.
At the same time, HIS, LIS, PACS, RIS and Medical Data Warehouse software are used by only 30% of HSPs. Over 90% of HSPs do not use any Medical Data Warehouse software. Over 73% of HSPs do not digitise their existing medical records and over 83% of HSPs have not implemented any digital services designed for other HSPs. About 50% of HSPs do not have a digital medical records repository (which would include file metadata enabling record search). Only 10% of HSPs record any type of patient consent in digital form. 66% of HSPs share medical records with other HSPs only in paper form.
Another problem is the low quality of medical data produced by HSPs – data is often inconsistent, incomplete or out of date. This is due to both factual reasons (the foregoing problems with IT infrastructure) and legal reasons (an excessive number of acts and legal norms regulating the principles and standards of creating and accessing medical records, and at the same time the lack of sufficient unification of documentation inter-operability standards and their appropriate enforcement).
Only 30% of HSPs use the Polish National Implementation of the HL7 CDA standard that defines the syntax and semantics of electronic medical documents for the purpose of their exchange.
Additionally, public databases in which medical data is processed (see 3.2 Recent Regulatory Developments and 9.1 The Legal Relationship between Digital Healthcare and Personal Health Information) are highly dispersed and there is limited data exchange between them.
Despite these difficulties, the development of IT infrastructure in the healthcare sector is progressing, and the current COVID-19 pandemic seems to be accelerating this development.
The increase of cloud computing in healthcare is a fact. It results from the cost efficiency (using the vendor's infrastructure may be cheaper than creating your own), its flexibility, availability of resources (anytime and anywhere), and security (due to distributed architecture, but also IT security standards applied, at least, by the renowned suppliers, the cloud often provides better protection to the data than customers' own infrastructure).
Still, however, the cloud raises some doubts. One of the biggest concerns is ensuring that the data is really safe and always available. The data-holder should also have full control and knowledge of how and where its data is processed and keep full rights to recover it, both in the event of any threats to the security but also any discontinuation of co-operation with the vendor (ie, to avoid vendor lock-ins). Hence, data-holders should always, in the first place, establish whether the cloud provider is a reliable partner, including whether it offers exhaustive information on the locations or other technical details of storage (or other uses) of the data. When multiple IT vendors are involved, the contracts should clearly define the scope of their liabilities, roles in the process, as well as respective data flows between all parties involved.
As there are plenty of specific regulations regarding health data, and in accordance with the GDPR, data regarding health requires special security measures when being processed, choosing an experienced and reliable (and, preferably, certified) supplier is a must.
Digital health solutions can be protected by variety of IP rights, including patents, copyrights, or trade secrets. Patents may cover medical devices or their components, as well as (although less often in case of digital health) substances and methods (except for treatment or diagnosis methods, even if performed by a device, eg, a remote diagnostic tool). Notably, software (as such) is expressly excluded from patentability, even though it can support, or itself be, a digital health solution. The Polish Patent Office has also been reluctant to grant protection to computer-implemented inventions (deemed patentable elsewhere in Europe). However, this may change shortly due to the latest legislative changes.
Software solutions can be protected in Poland by copyright, just like any other works of authorship. Authorship of other beings, including AI, is discussed by academics and practitioners, but the opinion that, under current laws, it can only be human authorship that prevails. Similarly, AI has not been recognised as an inventor under Polish patent laws.
Digital health solutions may be protected as trade secrets, which are defined as technical, technological, or organisational information that has economic value, and remains confidential (due to the acts of diligence taken by its holder).
Structured databases are subject to a specific, sui generis IP right in Poland (and in the EU), whereas raw/unstructured data does not, as such, fall into any general protection regime.
Involving academic institutions in developing an innovation usually requires the establishment of rules of allocating the resulting IP rights. Under the general principle of Polish law, the rights are vested in the authors/inventors. This rule may be contractually modified, including between inventors and their employers and/or between universities and healthcare institutions. The arrangements between universities and other institutions usually set the rules of the final allocation of rights in a proportion that is supposed to reflect the role or expenditures of each party in creating IP rights.
Private-sector companies involved in developing the device or innovation are usually keen to acquire all the respective rights. However, other scenarios are available (eg, the split of IP rights between a private entity and a university's special-purpose vehicle (SPV)). Different rules may apply in the case of publicly financed research and development. The public sponsor may impose specific rules of allocation of these rights among beneficiaries.
The general principle is that, by default, IP rights are vested in the authors/inventors in proportion to their actual contributions. As the actual proportions of these contributions may be challenging to be unequivocally established in practice, the division of shares in the rights is usually predetermined at the very beginning of the co-operation. However, the actual contributions may differ quite significantly from those which were assumed and so the need to modify the prior arrangements may arise. Hence, the best practice in collaborative developments is to define the pre-established split of shares in the IP rights but also the principles of their modification (and, if necessary, respective compensations) if the contributions turn out to differ significantly from the assumptions. It is also worth establishing detailed rules for using IP rights, sharing the benefits, rights’ management, allocation of burdens (including those related to obtaining or maintaining their registration), as well as the rules for their transfer.
Liability of HSPs and Doctors
HSPs and doctors will be liable for patient injury either contractually or tortiously (depending on whether the healthcare services are publicly financed, whether the patient has a contract directly with the doctor or the doctor is employed by the HSP, etc). In both cases, liability is based on fault, but under contractual liability there is an inverted burden of proof when it comes to fault, so it is for the respondent to establish that the injury is a result of circumstances for which he or she is not at fault.
If the HSP or the doctor is found liable, they may have recourse claims towards the digital health-technologies producers or service-providers, if their products caused or contributed to the injury.
Liability of Producers and Service-Providers
Digital health technologies producers or service-providers can be liable on their own for patient injury caused by their technologies under the product liability regime (the Polish rules are an implementation of the EU Product Liability Directive).
The definition of a product has been interpreted broadly and covers not only physical products such as medical devices, but also software which is part of those products (although standalone software, ie, software which is not incorporated in a physical product, would not be considered as falling under the defective product liability regime).
The producer is subject to strict liability (irrespective of fault). The injured party is entitled to compensation if she or he proves the injury, the defect in the product and the causal link between the product being defective and the injury.
A product is defective if, at the time of placing it on the market, it does not provide the safety that the public is entitled to expect, taking into account the use to which it could reasonably be expected to be put, the general state of knowledge at the time, and the way it was presented to its users. A product cannot be considered as defective just because an improved version is subsequently introduced onto the market.
The producer will not be liable inter alia if, at the time when the product was put into circulation, the state of scientific and technical knowledge was not such as to enable the existence of the defect to be discovered.
Digital health technologies supplies can be also liable on their own for patient injury caused by their technologies based on general tort law. In this case, beside the injury and the causal link, the supplier’s fault needs to be established as well.
Liability for Using AI/ML
Although the product liability regime works well when it comes to the majority of digital health technologies, its rules may not adequately take into account the specific circumstances associated with developing, training, validating and using AI/ML algorithms. Because of this, new rules of liability for AI/ML are currently under discussion both at the national and European level (see 14.1 Hot Topics That May Impact Digital Healthcare in the Future).
Digital health-technologies producers or service-providers are contractually liable towards their clients. Although contractual liability as a general rule is based on fault, the precise regulation of the scope and character of the parties’ obligations is of the utmost importance. Agreement should specify each party’s obligations regarding IT security, data security, data-sharing, employee training, etc. In appropriate cases, service-level agreements (SLA) should be concluded.
If the vendors process patient personal data as a result of supplying the technology to the HSP, appropriate data processing agreements should be concluded, which should cover issues of data security, sharing information on data breaches, parties’ co-operation in the case of data breaches, corrective and preventive actions (CAPAs), the admissibility of anonymising data for secondary use, etc.
The administrative fines that the data protection authority can impose on public hospitals are significantly lower than the ones defined in the GDPR (PLN100 000), so any indemnity clauses in contracts with public hospitals should take that into account.
Liability for AI/ML but also the impact of AI/ML systems on HSP and doctor liability, will definitely be areas of interesting developments in the future. AI/ML becoming more effective than humans will have a profound impact on issues of standard of care, a doctor’s due diligence and issues such as whether following AI/ML recommendations can be an exculpatory circumstance.
New rules of liability for AI/ML are currently under discussion, both at the national and European level. On 20 October 2020 the European Parliament passed a resolution with recommendations on a civil liability regime for AI.
Under the proposition, any operator of a high-risk AI-system would be strictly liable (irrespective of fault) for any harm or damage that was caused by a physical or virtual activity, device or process driven by that AI-system.
The term “operator” would cover both "front-end operators" - anyone who exercises a degree of control over a risk connected with the operation and functioning of the AI system and benefits from its operation, and "back-end operators" – anyone who, on a continuous basis, defines the features of the technology and provides data and an essential back-end support service and therefore also exercises a degree of control over the risk connected with the operation and functioning of the AI-system.
Liberalising the rules of access to medical data for research and development purposes is being discussed and will likely see some important changes. Some forms of data trusts (eg, foundations, associations representing patients and other stakeholders) may be established. This will raise the important questions as to whether medical data should be supplied to such entities based on patient opt-out or opt-in rules (taking into account the risk of re-identification of anonymised data).
This will also raise the issue of establishing laws or guidelines on how medical data should be pseudonymised or anonymised in order to minimise the risk of re-identification and the rules of handling non-personal medical data (which is not protected under GDPR). The EU Proposal for the European health data space, which is set to be published in the last quarter of 2021, may have a significant impact on these issues.
Access to more high-quality medical data will make Value-Based Healthcare (VBHC) projects more feasible – eg, establishing risk-sharing schemes (RSS) in reimbursement decisions, which connect payments between the National Health Fund and the reimbursement applicant with the product’s therapeutical efficacy (based on data obtained, eg, from public registers).