Digital Healthcare 2021

Last Updated June 30, 2021

Greece

Law and Practice

Authors



Koutalidis Law Firm was founded in 1930 and is regarded as one of the most prestigious top-tier law firms in Greece. The firm has advised on some of the most high-profile and ground-breaking transactions in Greece and has a varied client list that includes leading Greek and foreign corporations, major investment and commercial banks and financial institutions. The firm's work and commitment to providing excellent service and finding innovative solutions covering a variety of law and business sectors has been recognised by clients and independent commentators. With an Athens-based team of 12 lawyers dedicated to the healthcare and pharmaceutical industry, the firm provides all-inclusive legal services to its demanding clients on both contentious and non-contentious matters. In order to address the novel challenges brought by digital healthcare and provide stellar service, the team often works closely with the firm's TMT and data protection practices.

Definitions and Main Differences

Digital healthcare or digital health (used interchangeably herein) may broadly be defined as a set of patient- and/or consumer-engaging technologies (both hardware and software solutions and services), platforms and systems utilised for health-related purposes (including lifestyle and wellness) – often in service of supporting life science and clinical operations – and which are largely dependent on the collection, storage and transmission of health data. In this sense, digital health is the place where technology, day-to-day life and health care meet; and is thus aimed at both patients and consumers.

Digital medicine is a narrower term that conceptually falls within the framework of digital healthcare. Digital medicine focuses on evidence-based software and hardware products that perform two main functions, measurement and intervention, in the service of human health (including treatment, recovery, disease prevention and health promotion). In this sense, digital medicine, as a subset of digital healthcare, is mainly aimed at patients.

The Healthcare Provider’s Perspective

Using the variety of computational technologies and analysis techniques, smart devices and communication media – themselves the result of the development of interconnected health systems with which digital healthcare is concerned – the healthcare provider (HCP) is assisted in performing its “traditional” dual function of preventing and managing illnesses and health risks and promoting health and general well-being. The HCP role in digital healthcare is perhaps most salient in the context of telemedicine or virtual care (ie, the provision of healthcare services through the use of information and communication technologies (ICTs) when the HCP and the patient are not in the same location) one of the main technologies used in the context of digital healthcare.

Same as in the case of digital healthcare, the HCP is also assisted in its practice of medicine in the context of digital medicine, for instance though the use of evidence-based tools (digital medicine products), such as measurement products (eg, digital biomarkers tracking change in tremor in Parkinson’s patients), intervention products (eg, insulin pumps) or a combination of the two (eg, continuous glucose monitors in diabetes patients). At the same time, the HCP may also act in a scientific or research capacity, either by being part of the discovery and development of safe and ethical digital medicine products or by designing, executing or clinical studies and/or digital tools.

The Patient or Consumer Perspective

Patients and/or consumers are the main stakeholders in both digital health and digital medicine and the main (if not only) reason for the existence and rapid development of the fields. In the context of digital health, these persons can act both as end users (eg, through the use of wearable devices tracking and collecting consumer health information) and patients (eg, in the context of telehealth or e-prescription).

The Regulatory Perspective

Digital healthcare is generally a less-regulated field than digital medicine. Most digital health products (eg, wearables, health tracking apps, virtual assistants, etc) do not require regulatory oversight from healthcare regulatory agencies (see 3.1 Healthcare Regulatory Agencies). As is the nature of innovative products and services that are heavily reliant on sensitive personal data, digital health products can of course be subject to the regulatory oversight of non-healthcare regulators (see 4.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies).

Conversely, due to its evidence-based nature, digital medicine typically requires clinical evidence (ie, updates collected from randomised controlled trials), clearance and/or approval and is generally subject to heavy scrutiny by health regulators prior to its launch (and throughout its life cycle) (see 3.2 Recent Regulatory Developments and 5.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technology).

The Technology Perspective

While both digital health and digital medicine make use of emerging technologies, such as artificial intelligence (AI) and machine learning (ML) and big data analytics (see 1.3 New Technologies), some, like electronic communication networks and virtual/augmented reality, are more relevant in digital health, while others, like decision support software and robotic medicine, are more pertinent to digital medicine.

Greek law does not contain a definition of digital heath and digital medicine. On the issue of “eHealth”, the Greek Ministry of Health (MoH) website refers to the definitions used by the World Health Organization (WHO), stating“[…] the efficient and safe use of [ICTs] in support of health and health-related fields, including healthcare, monitoring and treatment, research and knowledge”, and the European Commission further states that “[…] tools and services that use [ICTs] to improve prevention, diagnosis, treatment, monitoring and management of health-related issues and to monitor and manage lifestyle-habits that impact health.”

As mentioned in 1.1 Difference between Digital Healthcare and Digital Medicine, most digital health products and services are not subject to regulatory oversight by health regulators.

As detailed in later in the chapter, some of the key technologies in digital health and digital medicine are:

  • AI and ML;
  • robotic medicine;
  • wearable devices;
  • cloud-based integration of medical devices;
  • electronic communication networks (fibre optics and 5G networks);
  • 3D organ bioprinting for transplantation;
  • big data analytics;
  • sensor technology;
  • virtual and augmented reality (VR and AR);
  • genomics (CRISPR/Cas9);
  • Internet of Things (IoT) and 5G technology in telesurgery;
  • cryonics; and
  • application technology.

Most of the aforementioned technologies apply to and concern both digital healthcare and digital medicine (eg, sensors technology and big data analytics), but some are more relevant to one than the other. For instance, wearable devices and telemedicine are at the core of digital health, while 3D organ bioprinting for transplantation and genomics are closer to the digital health subset of digital medicine.

The proliferation of digitalisation in the healthcare sector and the accompanying ever-growing need for collecting, storing and making use of electronic records containing sensitive data brings forth the issue of data protection from unauthorised release and cybersecurity. Furthermore, the launch of innovative digital medical products creates – and will continue to create – issues of medical regulatory authorisations, copyright, safety and security, as well as issues of liability (eg, when the medical product in question is being used by an HCP relying on an automated diagnosis) and patient (information) rights.

The COVID-19 pandemic brought about a number of changes to the way healthcare is provided, most notably by increasing the pace of the digitalisation that was already underway. Some of the most significant changes include:

  • remote or in-person care to COVID-19 patients using modern and safe technological means;
  • remote guidance, counselling and support to COVID-19 patients;
  • e-prescriptions without the need for physical presence of the patient; and
  • mapping and contact tracing technologies.

While created or pushed forward as a means to tackle the global pandemic, most of the above are expected to stay post-pandemic. See6.2 Regulatory Environment.

The negative effects of climate change on public health have long been documented and studied and ways to address this situation – even on a global scale (most recently, through the signing of the Paris Agreement). Ironically, the traditional health sector significantly contributes to greenhouse gas emissions (GGEs) by being responsible for about 4–5% of global output. In turn, climate catastrophe also puts a strain on global health systems.

Proponents of digital health and climate change advocates and academics have long put forward the application of digital health as a mitigation strategy to combat climate change, by reducing the health sector’s GSGEs, through the use of telemedicine, e-prescriptions, remote diagnostics and electronic medical records, among others. Empirical evidence indeed shows a strong correlation between adoption of digital health and reduced GSGEs: in a very recent study of the UK’s NHS, the health service’s GSGEs were reduced by 26% in 2019 compared to 1990, and a big part of this reduction can be attributed to digital redesign and changes in clinical practice.

Digital health can indeed play a big role in supporting the fight against climate change, by leveraging AI, big data and ML for developing diagnostic tools and more efficient systems:

Infectious Diseases

Climate change has brought about an increasing spread of climate-sensitive infectious diseases (together with the spread of mosquitos due to rising temperatures). Digital health tools could assist in this regard, eg, through the use of electronic maps for preventing, closely following or monitoring disease spread.

Heatwaves

Heat health warning systems (ie, technologies for predicting heatwaves) could help mitigate heat dangers by giving out early alerts, advice to the public and emergency response measures.

Heatwaves are a particularly big problem for Greece, especially in recent years with temperatures exceeding 41 degrees Celsius. Heat health warning systems can therefore be particularly helpful in addressing climate change-driven public health dangers in Greece.

Respiratory Diseases

Digital health could also assist in the management of respiratory diseases due to air pollution, principally caused by fossil fuel combustion, through the use of diagnostics digital tools (eg, health sensors, connected devices and wearables).

Sustainability in Healthcare

The limitation of paper-based practices, combined with the use of AI, could help not only the betterment of the environment, but also streamlining administrative practices and medical processes.

The Greek MoH

The core regulatory authority for healthcare in Greece is the MoH, responsible for – among others – defending, protecting and promoting public healthcare; ensuring universal and equal access to the provision of healthcare services by the National Healthcare System ("Greek NHS"); and regulating the operation of and exercising supervision of private healthcare institutions.

Specialised Regulatory Agencies

Specialised regulatory agencies and organisations also exercise control over their respective sectors of responsibility. Such regulatory agencies include the National Organisation for Medicines (EOF), the National Organization for the Provision of Health Services (EOPYY), the National Public Health Organisation (EODY), the Regional Health Administrations (YPEs) (comprising public hospitals in each region and other special departments) as well as the National Doctors’ Association and the National Pharmacists’ Association and all respective regional associations. More specialised agencies are:

  • the EOF’s Institute of Pharmaceutical Research and Technology (IFET);
  • the MoH’s National Council for eHealth Governance (ESDHY); and
  • other non-profit or professional associations.

EOF

EOF is the authority responsible for the protection of public health, as well as the safeguarding of the public interest in the field of medicines and other related products, ensuring adequate circulation of tested and quality products and the promotion and development of technology and research in the field of healthcare. Among others, the EOF’s responsibilities include supervision over medicinal products, active substances and medical equipment.

EOPYY, EODY and YPEs

The EOPYY’s responsibilities pertain to social insurance and EODY’s competence pertains to enhancing the Greek NHS, while doctors’ and pharmacists’ associations have competence over enforcing the licensing procedure and codes of conduct for healthcare professionals. Finally, the YPEs are responsible for issuing the relevant licences for the operation of private hospitals and pharmacies.

There is no express provision that digital healthcare falls within the scope of the EOF. However, according to Greek Law 1316/1983, the EOF’s regulatory supervision includes, among others, technologically evolved medicinal products and various medical aids such as medical equipment used for diagnostics, treatment, etc. The EOF has also been defined as the competent regulatory authority for the inspection of marketing of medical devices in Greece under Greek law and the EU Directives. The EOF will maintain this authority following the implementation Regulation (EU) 2017/745, the Medical Device Regulation (MDR) and of Regulation (EU) 2017/746 for in vitro diagnostic medical devices (IVDR).

EDiT

Specifically, regarding telemedicine, the National Telemedicine Network (EDiT), established by the second YPE of Piraeus and the Aegean, has installed telemedicine systems in 43 healthcare units. EDiT provides the following services:

  • teleconsulting;
  • tele-education;
  • tele-psychiatry; and
  • establishment of special healthcare units.

Telehealth in Greece was promoted mainly to address the issues of lack of healthcare professionals and infrastructure in remote areas and especially remote islands of the Aegean Sea.

Digital healthcare in Greece has been on the regulatory agenda for several years without constituting the regulator’s main point of interest. The core legislative act focusing on digital healthcare regulation is Greek Law 3984/2011, which provides that the use of telemedicine methods is made at the HCP’s own responsibility and according to the doctors’ code of conduct. The regulatory framework for medical devices also sets out generic rules that are directly relevant to digital healthcare.

However, the integration of digital healthcare in the Greek NHS recently drew specific regulatory attention with the adoption of EDiT for telemedicine systems (see 3.1 Healthcare Regulatory Agencies). Another important development has been the digital prescription of medicines/medical exams. The introduction of a more specialised regulatory framework for medical devices, brought about by the aforementioned MDR and IVDR (see 3.1 Healthcare Regulatory Agencies), is another important development, shaping the field.

More broadly, the last couple of years have seen digital healthcare methods being promoted by regulatory agencies and hospitals. The COVID-19 pandemic exposed the need for more technology and innovation in the healthcare sector and pushed for changes in the digitalisation of healthcare, through the introduction of a special digital procedure for the healthcare supervision of COVID-19 patients and the establishment of specific telemedicine departments. Against this backdrop, hospitals can issue guidelines on the utilisation of digital healthcare methods – albeit these would merely be for advisory purposes to HCPs, with the latter bearing the ultimate responsibility for the use of telemedicine methods.

Regulatory Enforcement

General

Regulatory enforcement is particularly active in the areas of circulation of medical products in the Greek market, licensing procedures for HCPs and private clinics, prudent exercise of healthcare-related professions and control over medicine subscription and reimbursement. The rationale behind this is focused on the protection of public health by not allowing potentially dangerous or misleading products to reach patients/consumers and by placing barriers in the exercise of medical professions.

EOF level

Enforcement is generally achieved through the imposition of fines and sanctions (administrative and/or criminal). Among other things, EOF is authorised to conduct inspections, quality audits, and books and records audits.

Professional associations level

The National Doctors’ and Pharmacists’ Associations have the power to ensure compliance of their respective professionals by imposing licence obligations and their codes of conduct. This also reflects the regulatory enforcement method selected by the legislator with regard to the utilisation of digital healthcare in diagnostics and treatments. In case of breach, the sanction imposed would depend on the magnitude of the alleged act of misconduct and could even lead to licence revocation for a certain period.

MoH level

At the EOF’s suggestion, the health minister can impose sanctions related to medicine circulation and pricing, medicinal products, medical devices and in vitro diagnostic medical devices. The sanctions imposed mainly comprise administrative fines against the manufacturers, pharmaceutical companies, etc.

Procedure Followed

Generally, the procedure for the imposition of an administrative sanction is as follows:

  • the competent authority initiates the procedure in case of suspicious activity or upon receiving a relevant report;
  • if alleged non-compliance appears substantiated, then the authority will call the alleged breacher to provide explanations on the allegations (constitutional right to be heard); and
  • depending on the merits of the case, the authority may or may not impose reasoned sanctions.

The imposition of sanctions relating to regulatory breaches in the healthcare sector are mostly acts of administrative nature. The person penalised, has the right to challenge them first before the competent regulatory authority (non-mandatory administrative appeal). Should the person not elect to file such appeal, or if the latter is rejected, the sanction may be challenged before the competent Administrative Courts. There are cases, though, when an administrative appeal must be filed, for the appellant to be able to further challenge the sanction before the Administrative Courts (mandatory administrative appeal).

Technological advances in the healthcare sector have necessarily entered the regulatory radars of authorities that are not subject to the supervision of the MoH.

The Hellenic Data Protection Authority

Perhaps the most important issue that digital healthcare raises is the processing of sensitive personal data. Accordingly, the Hellenic Data Protection Authority (HDPA) plays a big role in digital health and digital medicine. The HDPA is concerned about issues relating to the collection, processing, saving, filing, transferring, etc. of personal data and generally with ensuring the application of Regulation (EU) 2016/679 (GDPR) and the relevant personal data protection national legislation. The general scope of the HDPA’s competence allows it to intervene by issuing guidelines and enforcing the personal data protection legislation where necessary. Against this backdrop, the HDPA has dealt with many cases of personal data protection in the healthcare sector.

The Ministry of Digital Governance

In the context of cybersecurity (which, as mentioned in 1.4 Emerging Legal Issues, is a key legal issue to digital health and digital medicine), the Ministry of Digital Governance and its General Secretariat of Cybersecurity provide regulatory services for the security of informatic systems.

The Hellenic Authority for Communication Security and Privacy and the Hellenic Telecommunications and Post Commission

In the context of electronic communication networks (which, as mentioned in 1.3 New Technologies, is one of the key technologies to digital health and digital medicine), the Hellenic Authority for Communication Security and Privacy (ADAE) and the Hellenic Telecommunications and Post Commission (EETT), namely, the responsible authorities for the security of the public electronic communication networks, also play a key role in regulating digital health and digital medicine.

Other Non-health Regulators

The Hellenic Copyright Organisation (OPI) is another non-healthcare regulator that plays a significant role in digital healthcare and digital medicine, since they involve patents on innovative products and services. The Greek Standardisation Organisation (ELOT) contributes to the European standardisation process and participates in the preparation of relevant guidelines. Other non-profit or professional associations are also involved in the regulatory process.

Unregulated areas

Other areas of healthcare and digital monitoring, such as the areas of wellness, fitness and self-care are not strictly regulated in Greece. Nevertheless, the law provides that these activities are promoted and instructed by professionals.

Νew healthcare technologies are steadily affecting different regulatory fields, calling for convergence and co-operation between regulatory authorities. The HDPA has already been alerted by the emergence of digital healthcare methods, while other authorities are also expected to become involved as digital healthcare expands and becomes even more integrated into Greece’s NHS. In any case, the radical advances that digital healthcare entails shall test the reflexes of many regulatory agencies, necessitating the adoption of a co-ordinated action plan.

Regulatory Framework

According to EU and national legislation, software may be considered as a medical device under certain conditions. The regulatory framework on medical devices (Directive 93/42/EEC and Directive 98/79/EC) is therefore applicable on Software as Medical Device (SaMD) and the Medical Device Regulation (MDR), which defines the term SaMD, will enter into force on 26 May 2021.

The classification of Medical Device Software (MDSW) under the MDR takes place in accordance with Annex VIII to the MDR. MDSW is considered an active device and can be classified in all four risk classes, according to their intended purpose and their inherent risks. Stand-alone MDSW, such as most health apps, will be classified independently from any hardware medical device (Annex VIII, Chapter 2, paragraph 3.3 to the MDR) and will thus mainly be governed by Rule 11 of Annex VIII to the MDR.

To address the continuous software improvement, the EU is revising and re-drafting the relevant device standards in the context of the MDR and the IVDR (In-Vitro Device Regulation) (see 3.1 Healthcare Regulatory Agencies). The European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC) are the competent bodies for the adoption of harmonised standards. The first lists of MDR/IVDR harmonised standards are expected to be ready in 2021. These standards are the cornerstone of the MDR and IVDR. The manufacturers will be able to argue that they have demonstrated compliance with the General Safety and Performance Requirements (GSPRs). On a national level, EOF is the authority responsible for notifying the Commission and the authorities of the other member states of the bodies designated to carry out the procedures.

According to the GSPRs for software, which are included in the new Section 17.2 of Annex I (MDR), software shall be developed and manufactured in accordance with the state of the art, taking into account the principles of development life cycle and risk management, including information security, verification, and validation.

Developments in AI and ML

Indicative of the efforts to catch up with AI and ML rapid developments is the Joint HMA (Heads of Medicines Agency)/EMA (European Medicines Agency) Workshop on Artificial Intelligence in Medicines Regulation. The key takeaway from the workshop was the suggestion of ten priority actions for the regulatory evolution, such as:

  • upskilling of EMA and EU Regulatory Network EMA Expert Group on AI methods and guidelines;
  • building of a framework that supports the development of guidelines;
  • development of a framework to assess and validate AI; and
  • addressing of ethical aspects of AI and Promote transparent and auditable AI.

An extension of SaMD is an ML software (ie, where the software device keeps learning automatically after it has been released into the market) which will also need to undergo the same MDR classification process and be classified as SaMD accordingly. However, the inherent issues of AI, bias, explainability and mainly accountability, when suggestions or medical actions are triggered, are present. In this regard, Greek Law 4780/2021 established the National Bioethics and Techno-ethics Commission, which has already issued opinions – among others – on Electronic Health Records (2015) Big Data in Health (2017).

Prospective Market Entrants

New entrants in the SaMD area should seek regulatory advice regarding understanding the nature of their solution/software and if and how it classifies as SaMD. There is EU guidance on the subject, especially from the Medical Device Coordination Group (MDCG). Concerning the conventional timeframes for approving a medical device, the CE Mark process is considered faster than others with less clinical evidence, especially in the case of self-certification. However, the safety and suitability of the products should be the main criteria for the assessment of regulatory systems.

Concerns relating to (sensitive) data privacy, data confidentiality, security, integrity and availability remain in the spotlight and given that a number of new healthcare, fitness, and consumer products launched are now considered medical devices, these products (previously not classified as such) need to be raised to the same standards. To launch new products, market entrants will need to establish new processes, software, tools and understand relevant regulatory changes.

Telehealth is transforming the way healthcare services are accessed and provided. It allows for fast, high-quality and convenient care services in a cost-effective way. Using technology to deliver health care has several advantages. Prime examples of telehealth advantages include:

  • remote diagnosis;
  • remote patient monitoring (RPM);
  • the ability to provide care to people with mobility limitations, or in rural areas; and
  • cost savings.

In Greece, the adoption of digital healthcare infrastructure will be a key component in ensuring access to health care services in isolated geographical areas. An effective deployment of telehealth technologies will enhance the ability to better meet the health care needs of those in rural and frontier parts of the country.

However, there is currently a lack of regulatory framework on telehealth, and, as a result, issues such as data privacy, security or medical liability remain to be addressed and the ways to address them are still unclear.

Telehealth and Virtual Hospitals/Virtual Visits

In virtual hospitals, patients are connected with healthcare professionals remotely, via video or other technologies, in real-time for consultation on medical issues. Similarly, a virtual visit is the capability to consult with a doctor through a smartphone, tablet or computer, without the need for an in-person appointment, whether from home or work, regardless of the time of day.

Telehealth and Remote Healthcare

Constant monitoring of the patient’s condition and performance of medical examinations away from medical facilities is described as remote medical care. This form of healthcare is performed with the use of specific technologies (such as mobile devices, wearables, sensors, etc) to facilitate interaction between clinicians and patients at home.

As mentioned in 3.1 Healthcare Regulatory Agencies and 3.2 Recent Regulatory Developments, EDiT has installed telemedicine systems in 43 healthcare units, with further developments in the works. Furthermore, as mentioned in 1.5 Impact of COVID-19 and 6.2 Regulatory Environment, during the COVID-19 pandemic, the digital provision of services of public sector HCPs was promoted to allow for treatment, counselling and support of patients with COVID-19. However, such capabilities and tools have only been partially incorporated into the Greek NHS.

Regardless, the use of telehealth raises issues of cross-border provision of services, especially regarding licensing and authorisation. Doctors generally obtain a licence to practice in a certain area and are subject to the legislation and rules of conduct (including most notably medical ethics rules) of that area.

The main liability considerations regarding cross-border provision of medical services include:

  • patient rights;
  • product liability;
  • jurisdictional issues; and
  • personal data.

COVID-19 Treatment and Support

The COVID-19 pandemic brought about a series of regulatory changes in Greece. One of these changes was introduced by Greek Law 4690/2020, pursuant to which family doctors and contracted doctors of EOPYY may provide services to patients suffering from COVID-19 with home visits and distance sessions, using modern and safe technological means. The law provides for ministerial decisions to further regulate these matters (the issuance of these decisions is still pending).

ICTs have and will continue to be implemented in an attempt to improve communication with and between citizens in isolation at home and to provide counselling, guidance and support for patients diagnosed with COVID-19 and their families, throughout the monitoring phase.

E-prescription

One of the most innovative measures taken during the pandemic was the digital prescription of medicines/medical exams. Greek Law 4704/2020 allows healthcare professionals to make prescriptions electronically and even without the need for physical patient presence. The complete overhaul and digitalisation of the prescription regime has long been underway and constitutes a pivotal and permanent change in the Greek NHS.

Relaxation/Restriction of Legislation

Aside from introducing new regulatory frameworks, the COVID-19 crisis has also led to the relaxation – or even restriction – of the applicable legislation. Personal data and privacy, where tracking or mapping of contacts was used for identification or monitoring of the location of individuals, is a prime example of this. Furthermore, restrictions of fundamental rights and freedoms were implemented as regards movement, socialisation, etc.

Challenges

The main challenges of the new – national and international – legislative framework are:

  • promoting digital health;
  • regulating technologies in order to ensure that patients receive treatment that is safe and up to specific standards; and
  • responding to ethical issues.

As regards payment for telehealth services, according to Greek Law 4690/2020, compensation for family doctors of the Primary Health Care Units and doctors having a contract with the EOPYY who make home visits is set at pre-fixed per visit/per patient (for follow-up purposes) euro amounts. Compensation for family doctors of the Primary Health Care Units of the Greek NHS and doctors having a contract with the EOPYY who provide distance services to patients with COVID-19 is also set at pre-fixed (lower than in the case of in-person visits) euro amounts per session and per patient (for follow-up purposes).

Greek law also provides for a specific procedure for the compensation of doctors who offer healthcare services remotely (eg, issuance of medical prescriptions and/or medical consultation) during the COVID-19 pandemic.

Definition and Relevant Technological Developments

From a technical point of view, the Internet of Medical Things (IoMT) is defined as a network of physical and virtual elements that monitor and electronically transmit medical data such as vital signs, physical activity and medication adherence to provide the ability for swift diagnosis and treatment via interconnecting to hospital and healthcare networks.

The technological developments that – among others – have critically influenced and assisted the growth of the IoMT include:

  • wireless technology;
  • use of AI and ML;
  • application technology growth;
  • development of better and more secure internet and messaging protocols; and
  • sensors technology.

Moreover, innovative uses of IoMT will be further enabled by the introduction of 5G networks, with low-latency support of millions of devices and increased bandwidth.

Regulatory and Security Risk Concerns

The main regulatory concerns for IoMT devices such as wearables, implantable, mobile apps, etc, is whether and to what extent they are subject to the relevant legal framework for medical devices. For example, depending on their classification, different regulatory schemes may be applicable. Other important subjects of regulatory nature are:

  • privacy;
  • security; and
  • liability.

From a regulatory and technological point of view, Greece remains at the same level as the majority of the EU member states and has not taken any extraordinary or individualised initiatives to promote the IoMT.

Security Risks

Categorisation does not distinguish connected and non-connected devices; however, connectivity increases the risk of any device. On an EU level, the threats generated by the integration of IoMT systems are not yet fully captured by traditional risk assessment methodologies and relevant security controls for IoMT devices have still not yet been fully established, rather relying on the security landscape of generic IoT.

The security risks eventually create the threat of cybersecurity infringements. Classic methods of cybersecurity attacks include:

  • the exploitation of software vulnerabilities;
  • social engineering tactics (phishing); and
  • ransomware attacks.

Furthermore, non-intended exposure and internal misuse of data also pose a security risk. Mitigation efforts include the implementation of:

  • security awareness and training programmes;
  • boundary defence; and
  • data protection by design and by default.

Mitigation and Best Practices

It should be noted that, due to IoMT hardware limitations (eg, battery constraints), some mitigation mechanisms are difficult (or even impossible) to implement and therefore these devices have a much wider threat coverage.

While cybersecurity of digital health should be prioritised, the Greek legislator has not yet specifically addressed it (see 11. Upgrading IT Infrastructure). In addressing this matter, Greek authorities should consider global practices.

To date, several attempts have been made to regulate IoT, however, it is still remains largely unregulated. An example of non-regulated devices are shadow IoT devices such as Home Assistants (HA) which cannot be classified strictly as IoMT devices. Shadow IoT is becoming a real security challenge and HA devices can be a back door to IoMT environment enabling – among others – unauthorised access and non-secure collection and processing of data.

Positive Effects of 5G on Digital Healthcare

In technical terms, 5G networks are characterised by:

  • low latency, ie, near real-time network responsiveness;
  • wider bandwidth: for ultra-fast data sharing and guaranteed quality; and
  • network reservation for a particular use.

These features make 5G the key foundation for launching technologies, such as the IoT, AI, VR and AR. A number of healthcare areas could benefit from 5G, including remote monitoring of health, the home care of patients, addressing the needs of patients in remote areas and robotic surgery. Telemedicine allows doctors and other clinical staff members to collaborate more efficiently to deliver healthcare to remote locations. With high-speed and reliable 5G networks, patients can be treated sooner and have access to specialists otherwise not available: improving access improves quality of care.

Using IoT devices or wearables will allow for reliable monitoring of patients not limited by network restrictions in terms of reliability, capacity, latency, etc. Healthcare organisations can use AI tools to provide the best care possible – from wherever they are. By enabling all these technologies through 5G networks, healthcare systems can improve the quality of care and patient experience, as well as reduce the cost of care.

The above abilities are critical for first responders and disaster management. Deployment of 3C (Communications Command and Control) integrated solutions with the use of AR/VR, AI and IoT technologies will be accommodated by the ability to offer medical treatment in those in need using telemedicine or telesurgery exploiting health resources of remote hospitals in the scene.

In Greece, the established telemedicine network (see 3.1 Healthcare Regulatory Agencies, 3.2 Recent Regulatory Developments and 6.1 Role of Telehealth in Healthcare) will benefit from the introduction of 5G, as the 5G spectrum has already been allocated to licensed mobile operators that gradually deploy 5G service.

Contractual Considerations

The main contractual considerations that healthcare institutions face, are:

  • the integrity of the platforms used, since – usually – providers use third party solutions that may impede security (confidentiality, integrity and availability); and
  • insurance that privacy requirements set by the regulatory authorities are met.

Using vs Sharing of Personal Data

Data usage poses much fewer risks and concerns, as regards privacy and security, compared to data sharing. However, according to Article 4 of the GDPR, data use and data sharing both fall under the definition of processing.

The Greek Legal Framework

The applicable legislation that healthcare providers are subject to is:

  • the GDPR;
  • Greek Law 4624/2019 (and Greek Law 2472/1997, some articles of which are still in force) which supplements GDPR;
  • Law 3471/2006 as regards processing of data in the field of electronic communications; and
  • Law 4577/2018, which implements the NIS Directive.

Processing of Health Data under the GDPR

The processing of health data is prohibited under the GDPR, unless the exceptions of Article 9 paragraph 2 apply. HCPs should go to great lengths to achieve compliance with the applicable regulatory frameworks on personal data protection and security of networks and information systems. Finding the appropriate lawful basis of processing (based both on Articles 6 and 9 of the GDPR, ie, consent, legal obligation, etc), taking all the appropriate technical and organisational measures, informing the data subjects on the processing activities and/or potential transfers of data – which, in case of data transfers outside the EEA, require additional measures and actions and having in place the appropriate documentation and agreements (eg, data processing agreement or data processing impact assessment), are only a handful of the issues arising in connection with data processing.

To make processing of personal data less complex, HCPs can process data following the basic principles of the GDPR, such as data minimisation and purpose limitation. Furthermore, de-identification methods, like pseudonymisation, anonymisation and/or data aggregation may be useful, however, they cannot ultimately guarantee security because reverse identification analysis may – in some cases – reveal private information. HCPs should follow an overlapping use of the basic GDPR principles and de-identification methods in order to address – at least to some extent – considerations of personal information privacy.

Patient Consent

Digital healthcare has changed the nature of patient consents. However, the GPDR tries to balance patient privacy rights and digital market development. European bodies such as the Article 29 Working Party (WP29) and the European Data Protection Board (EDPB) have issued opinions regarding consent (eg, Guidelines 05/2020 on consent under Regulation 2016/679).

Patient consent for medical interventions is fundamental in both ethics and the law, and patient consent is required whenever data is provided to persons not involved in patient treatment. Consent in the context of health data should be freely given, be specific, informed and unambiguous and explicit.

Changes Brought about by IoT Devices

However, IoT devices have changed the type and amount of data collected and the way data are being processed. Many ethical questions are raised about the use of data being captured especially by non-healthcare providers, for which the level of confidentiality and security does not always comply with the requirements of sensitive personal data. To date, there is still no clear legislative framework in the Greek legal order dealing with this issue.

Enforcement of the regulatory framework relevant to personal data is generally achieved through the imposition of severe administrative fines, of up to EUR20 million or up to 4% of global turnover. Furthermore, a breach of the GDPR could potentially establish and substantiate civil claims by the data subjects. Finally, violations of the GDPR may also entail criminal liability, especially as regards HCPs where the Code of Medical Ethics foresees the imposition of disciplinary sanctions by the competent disciplinary bodies.

AI’s Application in Digital Healthcare

AI’s application in digital healthcare promotes – among others – the analysis, screening, and diagnosis of different conditions. To this day, no specific EU or national legislation on AI is in place. It was only recently that the European Commission made a proposal for a regulation on harmonised rules on AI (the “Artificial Intelligence Act”).

Augmented Intelligence (AuI) is an alternative approach to AI, which chooses to build on the concept of cognitive technology designed to enhance human intelligence rather than removing humans out of the decision process.

The Assistive Role of AI

Medical associations endorse a conceptualisation of AI that focuses on its assistive role and results in the physicians’ active involvement as a key control in any related process. Such checks and balances improve specific capabilities and leverage decision making and cognitive power and could thus help address the accountability issue in AI.

AI Concepts in ML

AI concepts also apply to ML. In the process of creating an ML model, the biggest portion of available datasets will be used as training data and the remaining as test ones. The sources of such data may vary and can include cases of personal data, patient data (medical records), health statistics or even IP-protected data. In all cases, relevant laws and regulations apply to the collection (genuine not modified data), anonymisation (real-time when applicable), processing, transfer and minimisation of bias (ie, gender, race, or other personal characteristic).

As current developments ask for measures to create trustworthy AI (explainability remains a challenge as AI, and primarily deep learning, is often characterised as a “black box”) the provider should be reporting data quality (conformance, completeness, and plausibility) or even apply external validation (eg, based on specific tools).

ML can provide physicians with relevant information to keep them up-to-date on medical progress and deliver accurate input into their decision-making process. It can also automate hospital and office processes and improve physicians’ workflow using smart records. Furthermore, ML models can diagnose diseases or early signs of various diseases (eg, Alzheimer’s) or enable and enhance quicker drug development cycles.

ML-Associated Risks and Regulation

However, ML insights and data and systems may be subject to risks such as corporate espionage, or taking over control of system by malicious parties, etc. In general, areas where access to information is shared and the number of end users is increased pose a higher risk of data misuse and attack.

Regulating ML may take place by:

  • requiring the AI system to satisfy pre-defined requirements (lawfulness, ethics, robustness);
  • regulating the AI system;
  • controlling the development process; or
  • a licensing system to regulate developers.

AI and ML are indirectly regulated mainly through:

  • the GDPR, which impacts all firms that utilise EU citizens’ personal data, regardless of location and prohibiting the use of health data unless exceptions under Article 9 paragraph 2 GDPR apply;
  • intellectual property; and
  • product liability policies.

Natural Language Processing

Also relevant to AI is Natural Language Processing (NLP), which is the ability for a programme to recognise human communication as it is meant to be understood. NLP in healthcare is impacted by the wider EU AI regulatory frameworks mentioned previously (such as the GDPR) and industry standards, such as the Health Level Seven (HL7) and ISO standards (eg, ISO 11073). Uses of NLP include automation of mining clinical concepts from unstructured data, suggestion of codes to assist turning clinical documentation into rich data sources for capturing physicians' reports and recording diseases. Regulatory compliance itself can be assisted using NLP enabling extraction of intelligence embedded in internal and external regulatory data feeds/documents.

As already discussed, Greece proceeds with the use of the central Electronic Health Records (EHR) system hosted in the H-Cloud (the Government Cloud Health Sector; see 11.1 IT Upgrades for Digital Healthcare). This approach provides for immediate access to accurate and up-to-date patient information regardless of time and location while ensuring maximum protection of privacy and security risks imposing information access systems and security controls.

Digitalisation

Many of the developments and upgrades in the IT infrastructure of healthcare institutions in Greece are planned in the Digital Transformation Bible. The Digital Transformation Bible is a proposal which reflects the principles, planning, strategic axes of intervention, model of governance and implementation and interventions required to implement the digital transformation in Greece. It outlines all the digitalisation planning in Greece, a series of mid- and long-term projects in the health sector, aiming to upgrade the IT infrastructure, including:

  • the evaluation and upgrade of the digital infrastructure in hospitals;
  • the improvement of the security of health information;
  • the integration of new information systems; and
  • the provision of advanced network and cloud computing services, etc.

The 2021 COVID-19 national vaccination strategy that was based on the use of web and mobile applications and e-prescription led to a huge uptake of health IT platforms by more than a third of the population now enrolled and using it.

Indicative projects include:

  • strengthening of the e-prescription system, completion of the individual e-health file, upgrading digital infrastructure in hospitals and evaluating digital health infrastructure;
  • the expansion and development of patient registries;
  • interoperability and access to health data, improving the security of health information and managing citizens' consent, implementation of the Integrated Information System for Hospital Units);
  • the expansion of the national telemedicine network and provision of cross-border digital health services;
  • the Digital Emergency Health Care Reform;
  • the Unified Appointment Management System for PHC Structures and Outpatient Hospitals;
  • the Health Information Observatory; and
  • the provision of advanced network cloud computing services in hospital units.

Cloud Management and Cybersecurity

Greek Law 4727/2020 introduced cloud management for the information systems of the public health sector. All electronic applications and central information systems of the Ministry of Health, hospitals and health centres, concerning the processing of medical data as well as medical transactions of citizens, must be installed in the Government Cloud Health Sector (H-Cloud) by 1 January 2023.

The Greek National Cybersecurity Strategy does not explicitly address the medical device and healthcare issue as a separate element, but it is affecting key actions of the Digital Transformation Bible.

The activities with direct impact are:

  • the cybersecurity of 5G networks;
  • the need for specialised security measures for Industrial IoT;
  • the requirement of special measures in order to protect AI systems from attacks; and
  • the development of a monitoring platform of cyber-attacks.

The need to shift towards an information-centric/information-sharing model is pushing healthcare towards cloud computing.

Benefits of Cloud Computing

Cloud computing allows for the storage, management and analysis of data in a cost-effective way, allowing for flexibility and scalability based on data flows and fluctuating needs. The use of AI and ML to support clinical decisions and treatment becomes rather efficient using the cloud. In terms of security, the adoption of cloud systems should decrease the risk for HCPs and patients alike. Especially for HCPs, that need to comply with regulatory frameworks like the GDPR or other industry specific standards, data centres provide for the ability to maintain a high level of security with minimal risk.

Cloud services usually offer direct access to Tier1 ISPs and ensure high availability, resilience and low latency necessary for medical applications. Data centres, due to their specialisation, provide assurance to health customers that they can operate in compliance with applicable laws and regulations. Furthermore, foreign cloud providers are planning to invest in Greece, which will address potential cloud-related regulatory and compliance requirements.

Security Risks and Management

Nevertheless, cloud computing faces security risks such as data breaches, account hijacking, DoS attacks, etc. It is for this reason that healthcare organisations must establish service agreements with detailed provisions relating to security and privacy in order to mitigate the risks and liabilities. Specific provisions as regards physical or technical controls (eg, employee background screenings, authentication/authorisation methods etc) should be agreed between the parties. Moreover, technical standards should be ensured to follow relevant regulation and compliance requirements, as well as industry standards and best practices (including ISO certifications).

Since healthcare providers tend to outsource a range of services, they need to have full visibility on the vendor’s security risks and management. Next to third-party risk, fourth-party risk management arises due to vendors further outsourcing their services, in which case the supply chain risk rises exponentially. A third-party risk management programme and relevant policies should be in place addressing the full depth of risk.

Applicable Legal Framework

In absence of a special national or European legal regime regarding IP protection in digital health, the existing general national and European legal regime on patent, copyright and trade secret protection is applicable. However, given the continuous growth of the application of AI in digital healthcare, new challenges that need to be regulated arise from the day-to-day practice.

In particular, the following legal frameworks are applicable:

  • Greek Law 1733/1987 on the Grant and Protection of Patents as well as Greek Law 1607/1986 on the Grant of European Patents, according to which the inventor of a machine which incorporates ΑΙ software and databases is protected through the establishment of a special intellectual property right (patent);
  • Greek Law 2121/1993 on Copyright (especially Articles 2α and 45α), according to which the creator of a database (“work” under Greek Law 2121/1993) automatically has the right of copyright – it is noted that the data themselves are not protected; and
  • Greek Law 4605/2019 on the harmonisation of Greek legislation to Directive (EU) 2016/943 on the protection of undisclosed know-how and trade secrets, according to which know-how and trade secrets related to AI systems (eg, robots or machines with incorporated AI software) are protected in case of illegal possession or usage from third parties.

Output Results of Intelligent Machines as IP Rights

Apart from the above, the national and European legal system is faced with the following fundamental issue: what might be the legal treatment of the output results of intelligent machines? Could they be recognised as subjects of intellectual property rights?

The human authorship principle in the Greek legislation dictates the anthropocentric character of the subject of protection. In the context of Greek Law 2121/1993 – and according to its travaux – the creator always corresponds to a human being, eg, a natural person.

In view of the above, the creator of the output results of intelligent machines recognised as “works” under Greek Law 2121/1993 may be:

  • the natural person who got involved in the development and learning of the machine; or
  • the users of the machine, including every natural person executing, using and giving instructions to the intelligent machine to produce a creative result.

Given that there is no relevant provision in the legislation, the identification of creative causality between machine creation and human factor shall take the form of an ex-post evaluation. Then, if the output can be described as intellectual property due to creative causality with a human factor, the award of protection will be judged on the basis of the assessment of the originality of that creation, which (assessment) will concern the above crucial contributions establishing creative causality.

According to Article 8 of Greek Law 2121/1993, private legal entities acquire copyright in a “work” created by an employee only on a contractual basis, except for software development (Article 40), where a copyright is, under circumstances, automatically acquired by law. Public legal entities automatically acquire a copyright by law.

According to Article 6 of Greek Law 1733/1987, legal entities acquire patent rights either:

  • ex post on a contractual basis;
  • automatically by law in case the employee had the contractual duty to make an invention; or
  • in a 40% application where the invention was created with means/material/information provided by the legal entity.

Greek law allows the parties to deviate from the default statutory rules and to contractually determine the IP rights allocation as they wish. Legal rules in regard to IP protection are not mandatory and, therefore, standard contractual freedom applies in this regard.

Theories of Liability

The theories of liability arising from decisions based on digital health technologies are mainly as follows.

Civil liability

Healthcare service providers bear, under certain circumstances, contractual and non-contractual (especially tortious) liability towards the patient for any adverse outcome arising from decisions based on digital health technologies. In the absence of a specific European and National legal framework on AI, according to the general provisions of the Greek Civil Code (especially Articles 914 and 330) and Article 8 of the Consumer Protection Act (Greek Law 2251/1994), HCPs are obliged to compensate the patient if, during a medical act, they fail to comply with statutory rules and principles of healthcare ethics that govern medical practice (illegality).

The liability of healthcare services providers (both contractual and non-contractual) is also formed as fault-based, which means that compensation for losses is due to the patient only if the damage is caused by fault or negligence. In addition, according to Article 922 of the Greek Civil Code, private healthcare institutions are also objectively liable for the damage caused by their employees-HCPs.

Decisions based on digital health technologies

While making a decision based on digital health technologies (especially a disease diagnosis), HCPs must comply, inter alia, with specific statutory rules: Greek Law 3418/2005 (Code of Medical Ethics) and Article 66 paragraph 16 of Greek Law 3984/2011 on Telemedicine. In case they fail to correctly operate the digital healthcare equipment during decision-making, they bear contractual and non-contractual (especially tortious) liability towards the patient as stated above.

However, it must be noted that they bear no objective liability for the damages caused by an undetectable defect of the equipment used. Only the manufacturer (and in some cases the supplier) is liable towards the patient for defects that could not be easily detected by the healthcare services providers.

Ex ante (before the injury) limitation of liability is not allowed according to Article 332 paragraph 2 of the Greek Civil Code and Article 8, paragraph 6 of Greek Law 2251/1994. Ex post (after the injury) limitation of liability is allowed if the patient agrees.

Criminal liability

Healthcare services providers bear, under circumstances, criminal liability according to Articles 302 and 314 of the Greek Criminal Code for unintentional injury or death attributed to negligence.

Without prejudice to the provisions of Presidential Decree 131/2003, third-party vendors bear tortious liability towards the healthcare institutions in accordance with Article 914 of the Greek Civil Code. They also bear contractual liability on the basis of an existing contractual relationship with the healthcare institutions.

Third-party vendors bear no liability according to Articles 6 (Manufacturer’s Liability for Defective Products) and 8 (Service Provider’s Liability) of the Consumer Protection Act, and Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services, as long as healthcare institutions are not considered “a consumer”.

Managing Stress-Inducing Situations

Digital health and digital medicine are expected to open new frontiers in the management of various excessively stress-inducing situations affecting mental processes – ironically themselves the result of technological advances (most notably, social media). For example, VR and AR have been tested and could be useful in treating anxiety, depression or certain phobias, without – in most cases – even requiring the presence of a therapist.

These novel instruments are a research priority for many institutions around the world and, if these results continue to be successful, they will likely prove to be a powerful weapon for protecting public mental health.

Physical Pain

Physical pain is another domain where pharmaceutical companies have invested a lot in producing plain painkillers, narcotics or other more sophisticated anti-depressants, often with serious side effects.

Experimental studies with participants immersed in VR and AR experiences have showed reductions in levels of pain and general distress. In fact, the patients participating in these studies expressed the desire to use VR and AR again during painful medical procedures. Researchers hypothesise that VR and AR act as a non-pharmacologic form of analgesia by a mechanism of emotion-affecting and emotion-based cognitive and attentional process of the body’s complicated pain modulation system. Put simply, it could be described as a distraction from the painful stimulus.

Mental Health

Digital health applications are expected to greatly affect the ways in which HCPs, pharmaceutical companies and all other major stakeholders operate in preventing, monitoring and managing/treating mental health disorders, physical pain and pain-inducing medical procedures.

In Greece, these novel therapies have not yet been officially approved, but the prediction is that, in the not-too-distant future, these practices could become mainstream modalities.

Koutalidis Law Firm

The Orbit
115 Kifissias Ave.
11524 Athens
Greece

+30 210 3607 811

+30 210 3600 069

info@koutalidis.gr www.koutalidis.gr
Author Business Card

Law and Practice

Authors



Koutalidis Law Firm was founded in 1930 and is regarded as one of the most prestigious top-tier law firms in Greece. The firm has advised on some of the most high-profile and ground-breaking transactions in Greece and has a varied client list that includes leading Greek and foreign corporations, major investment and commercial banks and financial institutions. The firm's work and commitment to providing excellent service and finding innovative solutions covering a variety of law and business sectors has been recognised by clients and independent commentators. With an Athens-based team of 12 lawyers dedicated to the healthcare and pharmaceutical industry, the firm provides all-inclusive legal services to its demanding clients on both contentious and non-contentious matters. In order to address the novel challenges brought by digital healthcare and provide stellar service, the team often works closely with the firm's TMT and data protection practices.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.