Information and communication technology (ICT) is used in the process of storing, sharing, searching, and transmitting vast amounts of health-related data that is generated in the healthcare field. As such, services and products which use various kinds of ICT in the healthcare field are collectively referred to as "digital healthcare". Terms such as telemedicine, telehealth, telehealthcare, e-health, u-health, smart healthcare, and connected healthcare have been used interchangeably with digital healthcare. Generally, digital healthcare is defined as any health-related service that actively uses ICT.
Digital healthcare includes both clinically verified and clinically unverified services and uses ICT to:
As such, telemedicine services, remote health management services and their related platforms, and diagnostic imaging equipment using software created by restructuring medical data through AI, are also included in digital healthcare.
Digital Medicine and Digital Therapeutics
Digital medicine is a field of digital healthcare. In the narrow sense of the meaning, digital medicine means monitoring a patient’s drug intake status by inserting an ingestible sensor into the drug. In the broader sense of the meaning, digital medicine refers to all types of services that monitor, manage, diagnose and treat patients. As digital medicine is generally called digital therapeutics in Korea’s regulatory system, the broad sense of the term "digital medicine" shall hereinafter be referred to as "digital therapeutics". It can be divided according to its purpose into:
Digital therapeutics has the advantage of being able to monitor a patient’s condition when not being directly treated by a physician or other healthcare personnel, as well as easy collection, management, and storage of data. This is different from traditional medicine, which cannot monitor a patient’s condition when the patient is not being directly treated, and which has difficulty in collecting, managing, and storing patient data.
Legal Definition of Digital Healthcare
At present, Korea’s legal and regulatory system does not provide a clear definition of digital healthcare. In addition, the application of a regulatory framework may differ depending on the specific service model of digital healthcare. For example, telemedicine is subject to the regulations of the Medical Services Act (MSA) because it is basically a medical act (medical service) which differs only in the method and tool of examining and treating patients in comparison to traditional medical acts, and the cost for medical acts can be subject to reimbursement under Korea's national health insurance.
Legal Definition of Digital Medicine and Digital Therapeutics
Likewise, digital medicine is not clearly defined under the relevant laws. Yet, under Korea’s regulatory system, digital therapeutics is categorised as medical devices, not pharmaceuticals, thus it is governed by the Medical Devices Act. The Ministry of Food and Drug Safety (MFDS), which is the regulatory agency for medical devices, first enacted guidelines relating to the examination and approval of digital therapeutics in August 2020. In the MFDS’s guidelines, digital therapeutics is defined as “software as medical device that provides evidence-based therapeutic intervention to patients to prevent, manage, and treat diseases or disorders”. While no products have yet been approved as digital therapeutics in Korea, it is expected that an approved digital therapeutics product will come out within the next few years.
The major new technologies in the field of digital healthcare, including digital therapeutics, are as follows.
In Korea, telemedicine between patient and doctor is not yet permitted. Since telemedicine between doctors was allowed in 2002 (eg, remote consultation between doctors), there have been debates during the past 20 years on whether patient-doctor telemedicine should be allowed. However, it is still a restricted form of medical service. Recently, due to COVID-19, telemedicine services to patients have been temporarily permitted, and the demand for allowing telemedicine continues to grow.
There has also been much discussion on the cost burden and payment system for digital healthcare. Recently, in Korea, more companies have been entering into the digital healthcare industry but it has been pointed out that few companies have been able to generate profit due to the lack of an appropriate payment system. In particular, since Korea has a structure where most medical expenses are covered by one national health insurance system, there are difficulties in arranging reimbursement for innovative digital healthcare.
As explained in 1.4 Emerging Legal Issues, patient-doctor telemedicine is not permitted under current law. However, the Ministry of Health and Welfare (MOHW) announced in February 2020 that it would temporarily allow medical treatment by phone in order to reduce the spread of COVID-19 infection through person-to-person contact at medical institutions.
While the MOHW’s announcement expressly allows consultation and prescription via phone call, it does not appear to prohibit treatment through video calls or other means besides phone calls. As a result, it seems that the number of companies that provide telemedicine platforms has increased.
Also, due to the COVID-19 pandemic, the government has recognised the importance of non-face-to-face medical care, and has decided to further support related start-ups. In particular, research and development for remote monitoring services and technology and wearable devices, which had already begun, is now receiving more focus.
Climate change is not only impacting the environment but is also affecting people on a physiological level, for example, causing an increase in cardiovascular and respiratory diseases. Changes in temperature and humidity also increase the incidence of infectious diseases. Therefore, these climate changes increase the burden of cost on the public health system.
Digital healthcare services can provide information about climate change to patients who may be badly affected by it, so that they can prepare for the change in advance. In addition, these services can monitor the condition of patients who are affected by climate change and enable measures to be taken according to the patient’s state of health.
Specifically, fine dust pollution in the springtime is getting worse in Korea, and each year the number of patients with respiratory disease, especially chronic obstructive pulmonary disease, is increasing. It is expected that digital healthcare services can help by promptly responding to such health issues relating to climate change, however, there are not, as yet, many digital healthcare services related to climate change in Korea.
Key Regulatory Agencies and Their Roles
The MOHW regulates social welfare and healthcare systems through the enforcement of relevant laws, such as:
For reference, the government authorities working together with the MOHW include the MFDS, the Health Insurance Review and Assessment (HIRA), the National Health Insurance System (NHIS), and the National Medical Centre, and institutions established under the MOHW such as the national hospital for each district and the Korea Centres for Disease Control and Prevention.
The MFDS enforces the PAA together with the MOHW, and the enforcement of the Medical Devices Act (MDA) is also under the responsibility of the MFDS. Institutions under the MFDS include the Medical Device Information Support Centre.
Regulations for Digital Healthcare and Digital Medicine
As explained in 1.1 Difference between Digital Healthcare and Digital Medicine, digital healthcare and digital medicine are not defined in the legal system. Only digital therapeutics is defined in the Guideline for Approval and Review of Digital Therapeutics published by the MFDS. Digital therapeutics are classified as SaMD (Software as a Medical Device) and regulated as a medical device. Other digital healthcare services are regulated by the MOHW or the MFDS, or both, depending on the specific content of the service.
In addition, the reimbursement policy on digital healthcare services is determined by the MOHW, but once the policy for reimbursement of a particular service is adopted by the MOHW, the review process for reimbursement is done by the HIRA.
Regulations for Wellness Devices and Medical Institutions
Wellness devices are regarded to be in a non-medical field, therefore they are not subject to the regulations of the MOHW or MFDS. However, the MOHW has created guidelines for health management services and is trying to establish a system to certify companies that provide health management services, but specific details have not been finalised as yet. Therefore, companies that provide non-medical services, such as health management services, do not have to report to or obtain approval from the regulatory authorities.
On the other hand, in Korea, a healthcare professional cannot engage in medical services without establishing a medical institution and, except for certain specified exceptions, all medical services must be performed within a medical institution. The qualification criteria of those who can open a medical institution in accordance with the MSA are strict. Medical institutions can be established only by licensed healthcare professionals, local governments or entities of a public nature specifically permitted under the MSA. Due to these restrictions under the MSA, digital healthcare services that involve medical services (services that go beyond health management) must be provided through medical institutions; in other words, private entities are not able to provide medical services directly to customers even if they employ licensed healthcare professionals.
Recent Regulatory Developments
As the human lifespan is extended and as society gradually becomes an ageing society, the demand for medical services is increasing, and many innovative medical devices are being developed based on the development of information and communication technology. Under these circumstances, the IMDSA came into effect on 1 May 2020, for the purpose of further fostering the medical device industry.
In addition, with the development of advanced technology in the medical device field, the MFDS has published guidelines for the approval of medical devices using big data and artificial intelligence, as well as guidelines for the approval of digital therapeutics. The HIRA has also prepared guidelines for assessing reimbursements for innovative medical technology (especially medical technology based on AI in the field of pathology and diagnostic imaging).
Development Initiatives in Digital Medicine
Digital healthcare-related start-ups in Korea continue to submit opinions to the government to improve the relevant regulations, and the government is also attempting to ensure that innovative digital healthcare technologies can be used efficiently in the market.
Prospects of Digital Healthcare
As the digital healthcare industry in Korea is only in its early stages, it is difficult to predict which part of the industry will have the greatest impact on the digital healthcare field.
Unlicensed medical practice
First, if a person other than a healthcare professional (HCP) performs a medical act, such person will be subject to punishment for unlicensed medical practice, and if an HCP performs a medical act, but that act is outside the scope of the HCP's medical licence, this is also considered unlicensed medical practice.
Medical acts performed outside of a medical institution
Furthermore, HCPs may only perform medical acts within a medical institution. Therefore, it is not possible for an HCP to be employed by a private company and perform medical acts in Korea. For example, if a licensed nurse is employed by a private company and performs medical acts or acts that assist medical treatment, such acts will be considered unlicensed medical practice. In Korea, those who are specifically allowed to establish a medical institution are limited to licensed HCPs (doctors, dentists, Eastern medicine practitioners), local governments or entities of a public nature, and therefore it is not possible for a private company to directly provide services related to medical acts. Thus, in order for healthcare-related companies, including digital healthcare companies, to provide medical services to patients, ultimately, it is important that they co-operate with medical personnel working in medical institutions or have medical personnel choose to use that company’s product. Otherwise, if the company provides medical service to a customer directly, it will be subject to sanctions on the grounds that such acts were unlicensed medical practice or medical acts performed outside of a medical institution.
Criminal and administrative sanction proceedings
Unlicensed medical practice and medical acts performed outside of a medical institution are subject to criminal punishment, and the HCPs involved in such practice are subject to administrative sanctions, such as suspension of their licences. Where an investigation is launched due to a competitor’s allegations or detection by the relevant authorities, sometimes a criminal proceeding will be carried out first, or sometimes an administrative sanction proceeding will be carried out first. Each proceeding is a separate procedure, but the results of each may affect the other proceeding.
Referral "for profit"
In addition, in Korea, medical-related platform services may possibly violate the MSA. Under the Korean MSA, introducing or referring a patient to, or soliciting a patient for medical institutions or HCPs for profit ("Referral") is prohibited. Imprisonment of three years or less and/or penalties of up to KRW30 million can be imposed on a person who violates the aforementioned prohibition of Referral and the HCP involved in Referral can be subject to a suspension of their medical licence.
Generally speaking, the position of the relevant authorities, such as the MOHW and the Supreme Court is very conservative and they are strict with respect to interpretations of what constitutes Referral. When reviewing whether the Referral was performed “for profit”, the Supreme Court has broadly interpreted “for profit” to mean “any purpose which provides an economic benefit” to the party making the Referral, and specifically mentions that such benefit is not limited to the direct receipt of commissions or economic payments. Therefore, even if a fee or commission is not received for the Referral, if the Referral can increase the business or economic gains of the person making the Referral, then the court will find that the Referral was made for profit, in principle (eg, partnership arrangements with medical institutions whereby the Referral would increase the customer base of the party making the Referral, etc). While medical-related platforms have been emerging recently, they will not be free from the issue of violating the MSA, as mentioned above, if their profits can ultimately increase by making referrals to medical institutions.
Regulations on personal information in the digital healthcare field are important as vast amounts of medical data are generated, stored, managed and shared. The agency responsible for the regulation of personal information in Korea is the Personal Information Protection Commission (PIPC). Since medical data falls under personal data, it is regulated by the Personal Information Protection Act (PIPA), and the main regulatory agency responsible for enforcing PIPA is the PIPC. However, the PIPC takes into account the distinct characteristics of medical data and creates guidelines for processing medical data in consultation with the MOHW.
There are no other regulatory agencies overseeing wellness, fitness and self-care. The MOHW has established guidelines for health management services which are introduced to businesses that provide non-medical health management services.
So far, the new healthcare technologies have not caused the regulatory agencies to re-align or become integrated in any way. It is expected that the MOHW, MFDS, HIRA and NHIS will continue to carry out their roles as the main regulatory agencies.
Definition of Software as a Medical Device
The MFDS enacted guidelines for the approval and review of digital therapeutics in August 2020. The guidelines define "software as a medical device" as “software intended to be used as a medical device that performs functions that meet the purpose of the medical device without being part of the medical device hardware”. This definition is almost the same as the one provided by the International Medical Device Regulators Forum (IMDRF).
Categories of Software as a Medical Device
Since software as a medical device falls under the category of medical device, it is regulated by the MFDS. The MFDS also classifies and manages medical devices into Class 1 to Class 4 according to the degree of risk. In addition to this risk classification as a medical device, the safety of the software is classified into grades A, B or C according to the degree of harm that could be caused by software failure, defective design or potential flaws that may occur upon use. Depending on the grade of the software, the approval process and materials required to be submitted may also vary.
Regulation of Improvements or Changes to Software
If there is a change in any approved matter of a medical device, then a change approval must be obtained from the MFDS. Therefore, in principle, a change approval must be obtained if software is upgraded, resulting in a changed version. However, for software of innovative medical devices, special rules under relevant laws apply, and under these rules, a change approval is required only when there is a significant change, and in other cases, changes must be reported to the MFDS without having to obtain a change approval.
Here, an innovative medical device refers to a medical device that has been designated by the MFDS and which has significantly improved, or is expected to improve, safety and efficacy compared to existing medical devices or treatment methods, through improvement of the method of use or by application of cutting-edge technology in technology-intensive fields with high innovation speed, such as ICT, biotechnology, and robot technology. A significant change which requires a change approval is a change that:
Products Using AI and Machine Learning
Products that use AI and machine learning are not necessarily considered medical devices. Whether a product is a medical device is determined based on (i) the intended use of the product, and (ii) risk. The intended use must fall under at least one of the following:
Also, the risk must be determined by comprehensively considering (i) whether it is possible that the software could harm the patient by not functioning as intended, or (ii) whether the software guarantees the clinical determination of the medical personnel. Software that uses adaptive or continuous learning from AI and machine learning, and software that uses “locked” algorithms and software, is also regulated as a medical device if the requirements for a medical device (explained above) are satisfied. However, a device is more likely to be designated as an innovative medical device if it uses AI and machine learning.
Challenges in Offering Software as a Medical Device
In Korea, while there have been cases where products consisting of software as a medical device have been approved by the MFDS, there have not yet been any cases where such products have been recognised for reimbursement by the National Health Service system. Therefore, companies that provide software as a medical device have not been able to generate meaningful profits as yet.
Telemedicine in South Korea
Since Korea’s MSA does not allow patient-doctor telemedicine, telehealth has hardly played a role in Korea’s medical system so far. While doctor-doctor telemedicine (remote consultation between doctors) has been permitted since 2002, it has not been widely used because a health insurance reimbursement system for this was not established. Since July, 2020, however, doctor-doctor telemedicine has been recognised for reimbursement, but no data is available as yet on how much remote consultation has increased as a result of this coverage.
Meanwhile, the MOHW considers "remote monitoring" of patients as being permitted in Korea according to the interpretation of the MSA. As such, remote monitoring-related services are not prohibited, but reimbursement for these services is extremely rare. For reference, a pilot project is currently being implemented in Korea offering reimbursement for remote monitoring and management of patients with Type 1 diabetes and in need of peritoneal dialysis.
In order to perform a medical act (practise medicine) in Korea, a medical practitioner’s licence must be obtained in Korea. Since the current law in Korea does not permit patient-doctor telemedicine, there has not been much discussion on cross-border telehealth. If a foreign-licensed doctor performs telemedicine for Korean patients, it would be considered unlicensed medical practice under Korean law, but if the foreign-licensed doctor or company that provides the telemedicine service is located outside Korea, it would be difficult for the MOHW to impose sanctions on this activity.
Temporary COVID-19 Regulatory Changes
As explained in 1.5 Impact of COVID-19, patient-doctor telemedicine is temporarily being permitted in Korea due to the COVID-19 situation. However, unless the current MSA is amended, this temporary situation will not become permanent.
Other Relaxed Regulatory Barriers
Meanwhile, certain telemedicine services or remote consultation services are allowed through a regulatory sandbox. For example, the regulatory sandbox review committee approved a service in 2020 in which a patient uses a smart rehabilitation device at home to perform rehabilitation training as prescribed by a doctor, and where the doctor or medical technician monitors the training and provides non-face-to-face counselling and advice within the scope of the initial prescription.
In addition, the at-home care pilot project for diabetic patients and peritoneal dialysis patients allows for reimbursement when confirming the patient’s condition through remote monitoring and providing consultation. It is expected that, while limited, there will be an increase in customised medical services through continuous monitoring of patients.
Regulation of Online Platforms Such As Zoom and Microsoft Teams
Zoom and Microsoft Teams are services that are widely used in Korea, and there are no special regulations with respect to these services.
Remote collaboration for treatment between doctors has been allowed since 2002, however, it has failed to be actively implemented because such consultation service was not considered reimbursable. Since July 2020, however, the MOHW has been separately recognising and reimbursing the fees incurred by remote collaboration for treatment.
Also, due to the COVID-19 situation, telemedicine has been permitted since 2 March 2020, and reimbursement for telemedicine was recognised as being the same as for fees for face-to-face treatments. Here, the patient’s cost burden is the same as the co-payment rate for an outpatient.
Furthermore, since 14 April 2020, an additional 30% was awarded for telemedicine performed during night shifts and holidays, and for paediatric care.
Since 8 May 2020, the government has recognised a separate management fee for reimbursement when performing telemedicine in a clinic-level medical institution; and furthermore, to promote telemedicine during the COVID-19 pandemic, the government has exempted the co-payment for patients receiving telemedicine from clinic-level medical institutions.
Accordingly, the government has been providing various reimbursement benefits to encourage telemedicine in light of the COVID-19 situation. While it still remains to be seen whether the relevant laws will be amended to allow telemedicine once the COVID-19 situation is over, the situation should also be carefully observed to see whether reimbursements for telemedicine will be recognised to the extent that they are being recognised now.
Internet of Medical Things
The internet of medical things (IoMT) refers to a connected infrastructure of devices, software, hardware and services to process and analyse data for decision-making by healthcare professionals in the patient’s treatment. Generally, this would include a device that monitors a patient’s condition, and is a concept that encompasses wearable devices, remote sensors, wireless patches, and medical devices that transmit biometric information such as heart rhythm and electrical activity, brain waves, blood pressure, blood sugar level, and body temperature.
Not only will the use of IoMT improve personally customised and preventive treatment, it is also expected to help patients manage their health and help reduce medical costs.
Technologies That Enable IoMT
Technologies that enable IoMT include 5G network and big data analysis technology, and IoMT is expected to evolve even further through machine learning.
Main Regulatory Issues Related to Medical Devices
Security Risk of IoMT
Since a vast amount of information is collected through IoMT, various measures are needed to protect it against cyber-attacks. For instance, it is necessary to implement an additional encryption mechanism to secure continuous feedback on network anomalies and monitor whether the connected device interacts well with the network, and also consider ways on how to segment the network. This way, non-critical devices can be separated from the core system, limiting the vulnerability of the entire network.
Regulatory Issues with Digital Assistants Such As Alexa
It is possible for digital assistants to provide health management services as long as these do not reach the level of medical services. For instance, it is possible to provide objective information relating to health, or provide guidelines and standards that are officially approved by a reputable institution. In addition, it is also possible to provide goal-setting and management to promote general health activities and disease prevention and management activities. Also, while it is possible to provide services for the purpose of managing chronic illnesses, providing consultation for the direct purpose of treatment is not possible as it is considered a medical service. For instance, it is possible to provide diabetic patients with advice on diet and exercise, however, it is not possible to provide specific medication instructions or to prescribe drugs that lower blood sugar. Privacy issues should also be taken into account when digital assistants collect health-related information from users.
Impact of 5G Network
Due to the increasingly widespread use of the 5G network in Korea, it has become possible to transmit massive amounts of data very quickly and connect to a wider variety of devices. As a result, favourable conditions have been established for the development of telemedicine and the use of the IoT; however, the fact that telemedicine, in principle, is not permitted under the current MSA and the fact that receiving treatment from a medical practitioner located overseas could be considered unlicensed medical practice under Korean law hinder services that use telemedicine and the IoT from flourishing.
Accordingly, there is growing demand for amendment of the relevant laws to allow telemedicine. Also, in order to graft the advantages of the 5G network into the emergency medical field, the Korean government is carrying out a project to develop an emergency medical system using 5G technology through the collaboration of related regulatory agencies. Specifically, applying 5G AI technology at the emergency medical treatment stage would enable intelligent emergency recognition, automatic measurement of patient biometric information, and intelligent emergency treatment patient classification for the efficient and speedy treatment of emergency patients. Meanwhile, the 5G communication network can connect the ambulance to the hospital emergency room and enable emergency service support, such as providing emergency medical guidance and guidance for optimal transport to the hospital, while transferring the patient in the ambulance.
Commercial and Contractual Considerations
The most important considerations healthcare institutions will face when entering into arrangements with telecom providers to deploy and manage the 5G network will be to have well-defined requirements regarding information security, and make clear the parties’ responsibilities with regard thereto.
Regulatory Frameworks for Using and Sharing Personal Health Information (PHI) in Research and Clinical Settings
The general law governing the protection of personal information is PIPA, which regulates the overall collection, use and sharing of personal information.
For clinical research, a special law called the Bioethics and Safety Act (BSA) is applied. The BSA contains special provisions which stipulate that if a human subject researcher obtains written consent from a research subject on providing personal information, such information may be provided to a third party after being reviewed by the institutional committee, and unless the research subject consented to including their personal identification information (PII), the PII contained in the personal information must be permanently deleted or replaced in whole or in part with the non-identifying code system of the relevant institution.
The MSA will apply in a clinical setting. The MSA prohibits medical personnel and the head or employees of a medical institution (excluding extremely limited exceptions) from allowing someone other than the patient to access or view the contents of the patient’s records.
In short, the general rules of PIPA regarding the collection, use and provision of personal information apply to the processing of PHI, but additional restrictions apply to the provision of personal information to a third party in human subject research, and to the provision of patient records in connection with medical practice by medical personnel.
Legal Effects of De-identification and Aggregation and Related Issues
PIPA defines personal information as information related to a living individual which includes both directly identifiable information and information which, by itself, does not readily identify an individual, but which can easily be combined with other information that allows an individual to be identified. Conversely, to make personal information not identifiable by itself, or even when easily combined with other information, is called “anonymisation”. When personal information becomes anonymised, it is no longer subject to PIPA. This anonymisation is also called “de-identification”, and aggregation is one of the common methods of anonymisation.
While it does not meet the level of anonymisation, the process of making a specific individual unidentifiable without additional information, such as by deleting part of the individual’s personal information or by replacing it in part or in whole with another non-identifiable symbol, is called “pseudonymisation”. Pseudonymised personal information has a higher chance of re-identification than anonymised information, thus it remains subject to PIPA. However, in order to foster the growth of medical big data, PIPA has recently been amended so that pseudonymised PHI may be used and provided without obtaining consent from the data subject for the purpose of producing statistics, scientific research and archiving for public interest.
Digital Healthcare and Patient’s Consent
The above rules apply even in a digital healthcare environment. In particular, because digital healthcare is a service that is provided online, the special rules for the information communication service provider (ICSP) among PIPA’s personal information protection-related regulations apply. According to these rules, the provision and use of personal information is possible only with the consent of the data subject, except in special cases permitted by law, and this also applies in the context of digital healthcare. Therefore, the legal basis for processing personal information in most contexts is having the specific consent of the data subject.
The type of consent required is explicit, on an opt-in basis, and informed.
Personal information includes not only general personal information, but also sensitive information such as that relating to health. Under PIPA, consent for general personal information and consent for sensitive information must be obtained separately. Furthermore, consent for the collection and use of personal information and consent for the provision of personal information to a third party must also be separately obtained, and special rules may apply if the personal information is to be transferred overseas. In addition, required consent matters must be distinguished from optional consent matters when obtaining consent in order to guarantee the data subject’s right to choose.
Realistically, it may be a challenge to implement this kind of consent in digital healthcare, and since it is especially difficult to obtain this kind of consent when processing personal information for research purposes, there may be an increased reliance on pseudonymisation-related regulations.
Data Breach-Related Legal Risks
Regulations on data breach, especially data leakage of personal information, are set forth in PIPA. The specific applicable regulation may differ depending on whether the data controller is an ICSP, but a violation can result in a fine equivalent to 4% of the maximum related sales and, depending on the case, a fine for negligence, a corrective order, or even criminal punishment of the person responsible for the data leak by up to two years' imprisonment or a penalty of up to KRW20 million. In civil cases, the personal information data controller may be held liable for damages to the data subject affected by the data breach, and if the data breach was made intentionally or through gross negligence, punitive damages exceeding three times the amount of actual damages may be imposed.
Disclosure of Confidential Information under the MSA and BSA
If a medical personnel discloses another person’s information which the personnel learned while performing their duties, or if they violate the restriction on third-party data provision under the MSA, explained above, such person may be subject to up to three years' imprisonment or a fine of up to KRW30 million. In addition, under the BSA, a person who divulges or appropriates confidential information, such as personal information, may be subject to up to three years' imprisonment. In this case, if such person’s actions were related to the employer’s work, the employer may be subject to a fine of up to KRW50 million. Neither the MSA nor the BSA has any specific regulations on civil liability, therefore the general legal principle of damages will apply in civil cases.
AI in Healthcare
So far, AI in healthcare is seen as augmented intelligence. That is, AI technology appears to take on the function of a tool which assists doctors with prescribing and making decisions. However, further advances in the field of AI and machine learning could lead to artificial intelligence replacing doctors in some fields.
Data Use and Data Sharing of Personal Health Information
The rules of PIPA will be applied as to the permissibility and scope of using PHI collected for healthcare services as training data for machine-learning algorithm development.
As mentioned above, since PIPA often requires consent to process personal information, the biggest issue is how to obtain consent for use and provision for the above purposes, and what alternative legal basis can be relied on if consent cannot be obtained. Regarding the latter aspect, as mentioned in 9. Data Use and Data Sharing, the issue will be whether it will be possible to use pseudonymised PHI, and whether the use and provision of PHI as training data can be justified as the further processing of PHI in a way that is compatible with the purpose for which the PHI was initially collected.
Key Roles of Machine Learning in Digital Healthcare
Machine learning applications can potentially improve the accuracy of treatment protocols and health outcomes through algorithmic processes by impacting record-keeping, data integrity, and predictive analytics.
Risk of Misuse of Sensitive Data and Cybersecurity Attacks
PHI is not only information that is important in terms of personal privacy, it also has great use value, and therefore it is prone to the possibility of cyber-attack or misuse. In this regard, PIPA requires strengthened security measures for sensitive information. In addition, the PIPC applies a stricter guideline for the pseudonymisation of PHI in view of such risks.
Centralised Electronic Health Record Computer Systems
The use of centralised electronic health record computer systems has the advantage of realising the standardisation of electronic medical records (EMRs) in medical institutions and enabling the easy development of new services through using EMR. However, the problem is that it is difficult to establish a centralised electronic health record computer system. So far, various medical institutions have each established their own EMR system based on their own standards, and it will not be easy to integrate these into a standard version. Nevertheless, the MOHW started the EMR certification system in June 2020 and is attempting to standardise EMR at the national level. However, it has been pointed out that achieving success in this will be difficult due to the current lack of incentive for participation by medical institutions.
Regulation of Data Use and Data Sharing in the Machine Learning Context
The PIPC’s guidelines recommend applying the privacy-by-design principle when developing AI using personal information and performing personal data (protection) impact assessment (however, these recommendations are not obligatory for private business operators under PIPA).
Role of Natural Language Processing
Natural language processing is expected to be helpful in the healthcare field by helping doctors understand and analyse the meaning of human speech communicated during treatment, and even to help the doctor make clinical decisions. To propose a clinical decision, AI machine learning will have to be combined with natural language processing. From a regulatory standpoint, it will be important to determine whether a tool using natural language processing will be considered a medical device, and whether reimbursement can be obtained for using this technology.
The benefits of 5G technology, such as enhanced mobile broad band and Mission Critical Control, are necessary for facilitating telehealth, IoMT and data transmission.
The ability to utilise machine learning is needed to support new digital health technology, and the data encryption tool is also important for cybersecurity and data protection.
Factors Driving the Increase of Cloud Computing in Healthcare
Hospitals are increasingly using EMRs because of the vast amount of medical information being generated in medical institutions. However, as the risk of information leakage increased and the management of data became difficult, a cloud computing service for storing electronic medical records outside the hospital was proposed, which the Korean government strongly recommended. In 2016, the MSA Enforcement Rules were amended to allow electronic medical records to be stored in the cloud.
Key Legal Concerns
Privacy and security issues appear to be the biggest concerns. To protect against data breach and maintain data confidentiality, a cloud computing service provider must take appropriate security measures and not misuse the collected data beyond the scope and purpose of its collection. In addition, relevant contracts must include sufficient safeguards, such as the cloud service provider's duty to notify business operators in case of a data breach, and the duty to take subsequent measures to address any data breach. PIPA requires certain items to be in the contract or written agreement when a business operator delegates the processing of personal information to a third-party service provider (including a cloud computing service provider) and imposes a duty to manage and monitor the service provider.
If EMRs are stored in places other than medical institutions, such places must be furnished with the facilities and equipment required under the MSA, its Enforcement Decrees and notices, and comply with the restrictions regarding the physical storage location.
Best Practices for Data Centre Use
Medical records include various kinds of data and because multiple healthcare professionals record the data, it is necessary to collect and reflect the opinions of each healthcare professional when doing an IT upgrade. There has been no standardisation of medical records so far in Korea and it has been pointed out that the lack of development and improvement of the current medical records system is problematic. In addition, because there are not many types of EMR vendors, it is common to have multiple IT vendors involved.
In the field of digital health, the most-discussed topic relating to IP rights is the field of technology using AI.
Patent, Copyright and Trade Secrets in Digital Health
The Patent Act denies the patentability of a computer program in itself, but recognises patentability where information processing by a computer program is realised through hardware. Therefore, if AI technology is produced through hardware, it can be recognised as a patent.
Under the Copyright Act, the term “computer program work” is defined as “creation expressed in a series of instructions or commands which are directly or indirectly applied within a computer, in order to obtain certain results”, and therefore AI can be protected as a computer program work. Also, data used by AI to learn can fall under “database” protected under the Copyright Act. Therefore, a person who collects and controls deep learning data for AI learning can be protected as a “database producer” under the Act.
Also, there is discussion that an invention created by AI technology could be protected as a trade secret even if a patent is not granted on such invention.
Authorship of Inventions and Works Created by AI Technologies without Direct Human Contribution
There has not been much discussion or theory established in this field. Under the Patent Act, the inventor of a patented invention is presumed to be a natural person and thus it does not seem possible to grant a patent to AI-developed technology. However, it is possible to recognise the patent right of a person who instructs and participates in the creation while using AI as a tool for invention, to the extent that certain inventive contribution is recognisable. Here, an issue may arise as to the ownership of invention if the owner of AI (eg, a company) and the operator of AI (eg, an employee) are different. Although Korea adopts the employee invention system under Korea’s Invention Promotion Act, if an employee acquires a patent in the course of their employment, the employer can succeed to the right to such patent and/or receive a non-exclusive licence in the right to the patent.
Since Korea follows the employee invention system, if an employee completes an invention, the employee succeeds to the right to a patent of that invention.
However, because the employer provided the employee's wages, research facilities, research support, technology, education support, etc, the employer can receive (i) a non-exclusive licence in the right to the patent, and (ii) succeed to the right or obtain an exclusive licence by entering into a succession contract in advance. Here, the company must give fair compensation to the employee for succession to the employee’s right or to obtain an exclusive licence.
Therefore, most companies have an employee invention provision in their employment contract, whereby the company can succeed to inventions created by employees. This principle also applies to colleges, research institutions and universities that own hospitals.
Even if the patent right is jointly owned, each co-owner may in its entirety exercise the patent right regardless of their share, but there are some restrictions under Korea’s Patent Act as follows:
Because of this limitation, patent rights are not usually shared and, in many cases, even if two or more parties are involved in the invention, one person owns the patent and the other receives only a licence for it. Alternatively, the parties can also make an agreement in advance to address the above legal restrictions.
When a medical malpractice occurs due to a medical decision based on AI machinery or technology, the doctor who provided the medical service will be primarily responsible to the patient. Depending on the specific facts of the case, the doctor may later file a claim indemnity from the company that provided the AI machinery or technology. In determining liability, the question will turn on whether the doctor’s judgement and the AI’s recommendation meet the standard of care.
A Few Possible Scenarios to Determine Responsibility
If the AI’s recommendation met the standard of care, but the doctor did not follow the recommendation, resulting in a medical malpractice, the doctor is solely responsible for the medical malpractice.
If the AI’s recommendation met the standard of care and the doctor followed the recommendation, but a medical malpractice resulted, neither the company that provided the AI machinery nor the doctor is responsible because each acted in accordance with the standard of care.
If the AI’s recommendation did not meet the standard of care and the doctor did not follow it, but a medical malpractice occurred, the question of the doctor’s liability will turn on whether the doctor’s medical service met the standard of care. As a separate matter, it appears that the doctor can go after the company for providing a machine that failed to meet the standard of care.
If the AI’s recommendation did not meet the standard of care, and the doctor followed it, but corrected it after finding out that it was wrong before the patient’s injury occurred, the doctor is not responsible to the patient, but the doctor may still go after the company that provided the AI machinery for providing a machine that failed to meet the standard of care.
Where the Third-Party Vendor's Products or Services Result in Damages
If a healthcare institution suffers damages caused by a third-party vendors’ products and services, liability will be decided as follows:
This applies, for example, to cases in which the healthcare institution directly suffers losses due to products or services provided by the vendor, as well as in cases where the patient of the healthcare institution suffers direct loss and the healthcare institution incurs economic loss in compensating the patient for such damages. For example, such cases may occur if information is leaked because the vendor providing the computer system used by the healthcare institution fails to take technical and organisational measures to safeguard data which is processed through such system. In this case, the healthcare institution suffers direct damage (if important information such as trade secrets of the healthcare institution are leaked) or the healthcare institution indemnifies the patients due to the leakage of the personal information of patients in the healthcare institution.
If the product provided by the third-party vendor as a manufacturer is a “product” under the Product Liability Act, and such product causes damage to a healthcare institution due to a defect, the third-party vendor must compensate the healthcare institution for damages on the grounds of product liability under the Product Liability Act.
Where the Third-Party Vendor Provides Direct Healthcare that Results in Damages
On a separate note, if a third-party vendor directly provides healthcare services to a patient for a healthcare institution and incurs injury to a patient, the healthcare institution may be liable for direct breach of contract with the patient. This is because the vendor is considered an agent of the healthcare institution, and thus the vendor's actions are treated as being those of the healthcare institution. If the vendor's actions are also illegal, the vendor will then bear tortious liability to the patient, and the healthcare institution, as the vendor's user, will also bear tortious liability. In this case, the healthcare institution can be exempt from liability if it can prove that it has fulfilled its supervisory duty to the vendor (however, in reality, this is very difficult to prove). If the healthcare institution compensates the patient for damages in such a case, the healthcare institution may exercise its right to indemnification against the vendor (ie, claim damages against the vendor for breach of contract or tort, as described above).
PIPA was amended last year to enable specific uses of personal information (eg, the use of pseudonymised data for scientific research purposes). In line with these changes, there has been renewed interest in the utilisation of medical data, and more changes to the relevant laws are expected. The amendment bill to the MSA earlier in 2021 is an amendment to keep up with these changes and the content “enables medical institutions to send medical records to a third party designated by the patient upon the patient’s request”. Although the medical community has attacked this amendment bill for putting a burden on medical institutions, it will likely be passed because the direction is similar to the MyData Project promoted by the MOHW.
The MyData Project is a government plan to implement a system where the data subject is provided the means to collect, transfer and use, for its own benefit, the personal information that it has provided to various personal information processors. If this bill is passed, the industry will be able to develop various healthcare services using medical records.