“Digital healthcare”, “digital medicine” and “digital therapeutics” refer to the integration of traditional healthcare into the digital environment. The core technologies allowing for this digital transformation include the internet of things (IoT), cloud computing, sensors, big data and artificial intelligence (AI).

Medical Data

Medical data that an individual directly or indirectly generates can largely be divided into three categories:

• genetic information;
• personal health information; and
• electronic medical records (EMRs).

With regard to genetics, an individual generates roughly three billion genetic base pairs, which allows the implementation of precision medicine, personalised new drug development, genetic editing and synthetic biology.

Personal health information refers to information that is collected through, for example, wearable devices and other healthcare-related monitoring apps (eg, blood sugar levels, blood pressure, heart activity, and dietary information).

Such information is used to provide individuals with everyday health information, which can help prevent, or even mitigate currently existing diseases.

EMRs refer to a form of digitisation of medical records which would contain, in essence, personal information, medical history, health conditions and prescription information. The digitisation of EMRs is key in identifying specific clinical results based on analysis of genetic information and personal health information and, thus, South Korea is accelerating the process of digitising previously non-digitised medical records to allow further use of real-world data to generate real-world evidence.

The Status of Digital Healthcare in South Korea

South Korea has the world’s most developed 5G network and IT technology. It is also the leading country in the use of image archiving communication systems and electronic medical reports in hospitals. This makes South Korea the optimum environment for digital healthcare to flourish.

Nevertheless, compared to global counterparts, Korea’s digital healthcare industry is still in its infancy. For example, Korean companies are not found on the global list of top 100 digital healthcare start-ups, based on accumulated investments. The main reason for this is the regulatory hurdles.

Typical regulatory obstacles to digital healthcare in South Korea concern:

• telemedicine;
• the use of medical information;
• cloud storage;
• genetic information for customised medical care;
• anonymisation and pseudonymisation of medical information as big data; and
• insurance reimbursement listing of digital technology.

In March 2023, the government announced the “Plan for Regulatory Innovation of Biohealth New Industry” and proposed ways to reform regulations in the “biohealth industry”, including “digital health”. Specific tasks related to digital health include institutionalisation of telemedicine, and improvement of the electronic medical record system.

The introduction of digital healthcare services and related products as a result of these regulatory improvements is expected to bring about a variety of changes in providing healthcare to patients as well as the relevant technology.

For example, healthcare professionals (HCPs) in Korea will be able to provide new, innovative healthcare services to patients to prevent or manage diseases, while patients will gain access to new healthcare services not bound by time or space.

As a nation with traditionally strong technological resources, the advent and development of digital healthcare is being strongly pursued by numerous IT companies, including start-ups, in Korea.

Definition of Digital Health

As of now, there is no definition of digital health provided in local law. However, the Digital Medical Products Act, proposed by the National Assembly in March 2023, defines digital medical products as digital medical devices, digital convergence drugs, and digital medical/health support devices, and among them, digital medical devices are defined as “medical devices to which advanced technologies such as intelligent information technology, robot technology, and information and communication technology are applied, and which are used for the purpose of diagnosing and treating diseases.” The Digital Medical Products Act is currently under deliberation by the National Assembly.

Definition of Digital Medicine

Currently, there is no definition of digital medicine provided in local laws. However, the term is generally used to mean providing personalised healthcare by collecting and analysing medical data. All devices used for such purposes, however, are generally categorised as medical devices (see below).

Definition of Digital Therapeutics

There is currently no definition of digital therapeutics provided in local law. However, the government takes the position that digital therapeutics is a form of “medical device”, and according to the Digital Medical Products Act proposed by the National Assembly in March 2023, a “digital converged drug” is defined as a product that combines a pharmaceutical product with a digital medical device or a digital medical/health support device, and its main function is to qualify as a pharmaceutical product.

Artificial Intelligence and Clinical Decision Supporting Systems

One of the most important technologies enabling the growth of digital healthcare and digital medicine is the advent of AI and clinical decision supporting systems. Digital healthcare, which uses AI for example, includes the development of software which not only provides the best treatment options based on real-world data, but also helps in the diagnosis of diseases. For example, software that reviews computed tomography and magnetic resonance images identifies diseases at a much faster rate and higher accuracy.

Big Data and Genetic Analysis

Next-generation sequencing allows for the analysis of genetic information which helps predict the probability of certain diseases in individuals.

In addition to existing laparoscopic surgery, robotic medical devices are used in areas ranging from orthopaedic surgery, such as artificial joint insertion, to surgeries such as cholecystectomy.

Other key technologies include companion diagnostics, complementary diagnostics, telemedicine services, direct-to-customer digital healthcare technology and wellness products.

Telemedicine Services

The Medical Services Act (MSA) generally provides that the practice of medicine must take place physically within a medical institution. Therefore, telemedicine is, in principle, prohibited in Korea. However, because of the COVID-19 pandemic, Korean health officials had temporarily allowed telemedicine to be used in Korea (eg, consultation and/or prescription of medicine via telephone counselling). Expenses relating to these telemedicine services are also reimbursable with National Health Insurance (NHI).

Based on its examination of NHI claims from February 2020 to January 2023, the Ministry of Health and Welfare (MOHW) found extensive use of telemedicine and determined public consensus favoured telemedicine and has announced the adoption of a pilot project under which non-face-to-face treatment is permissible and reimbursable with NHI starting on 1 June 2023.

Please refer to 1.5 Impact of COVID-19 for further details.

Use of Medical Data

In 2021, the government established the “My Healthway” project, an infrastructure for sharing and using personal health records. However, under the current Medical Services Act, a medical institution cannot directly provide personal medical data to a third party, even with the patient’s consent, unless such provision falls under the specified exceptions. In order to address this issue, an amendment of the Medical Services Act has been proposed to introduce the “right to request the transmission of medical information to a third party” to medical institutions.

Wellness Products

Wellness products refer to everyday instruments which provide healthcare information (eg, smart watches which measure heart rates, body temperature, blood pressure, etc). However, there is controversy about which products constitute “medical devices” and therefore require marketing authorisation.

The concept of “digital medical/health support device” was introduced in the recently proposed Digital Medical Products Act. Digital medical/health support devices refer to “instruments, machinery, devices, software or other similar products designated by the MFDS to which digital technology is applied, that are not digital medical devices but are used to monitor, measure, collect, analyse, etc, biometric signals for the purpose of supporting medical services or maintaining and improving health.” Products that are currently classified as wellness products and are not specially regulated may be newly subject to management under the proposed Digital Medical Products Act.

Medical Services Based on AI Technology

AI technology in this sector is generally regarded as a medical device and requires marketing authorisation, which includes approval of registration for insurance under the NHI system. However, due to the lack of clear regulations, no AI technology-based medical service has successfully obtained the necessary approval and registration. The MFDS has recently established a Digital Health Regulatory Support Division which has raised hopes of alleviating regulatory obstacles.

As discussed in 1.4 Emerging Legal Issues (Telemedicine Services) the restriction on the provision of remote healthcare was temporarily relaxed during the COVID-19 pandemic. Furthermore, the Ministry of Trade, Industry and Energy (MOTIE) also permitting Korean doctors to provide telemedicine services to Korean citizens living abroad (ie, consultation and prescriptions), via a regulatory sandbox.

Due to the downgrade of the level of seriousness of COVID-19 in Korea (from “serious” level to “alert” level as of June 2023), temporary non-face-to-face medical treatment lost its legal basis. However, a pilot project was adopted by the Health Insurance Policy Deliberation Committee and implemented starting on 1 June 2023, under which non-face-to-face medical treatment is permitted and reimbursed under the NHI system. The pilot project is based on the following three principles, which were established after a series of meetings between the MOHW and the Korea Medical Association: (i) the project will focus on returning patients, (ii) the project will focus on clinic-level medical institutions, and (iii) patients will be permitted to choose pharmacies. 

Under the pilot project, patients would be limited to returning patients who have been treated in person at least once for the same disease at the same clinic. Non-face-to-face medical treatment is permitted for first-time patients only in exceptional cases where patients are in remote areas or have impaired mobility. For paediatric patients (those under the age of 18), medical consultations (but no prescriptions) are permitted at night and on holidays, even if there is no record of a face-to-face visit.

Also, under the pilot project, non-face-to-face medical treatment will be limited to clinic-level medical institutions. Hospital-level medical institutions are permitted to provide non-face-to-face medical treatment only in exceptional cases for patients with rare diseases who have had one or more face-to-face visits and whose physician determines that they need ongoing care after surgery or treatment.

Finally, the pilot project prohibits auto-assignment of pharmacies, which was a feature in the existing telemedicine platform app used during the COVID-19 pandemic. The pilot project allows patients to choose the pharmacy they want by displaying all available pharmacies based on patient location. Prescriptions, however, will need to be picked up in person with home deliveries permitted only in exceptional cases where patients are in remote areas or have impaired mobility or infectious or rare diseases.

The adoption and implementation of the pilot project indicates that the health authorities have taken a major step towards permitting telemedicine, but controversy is expected to continue. The health authorities will need to continue to maintain a consensus between the public and pharmaceutical and medical professionals.

Key Regulatory Agencies

Ministry of Health and Welfare (MOHW)

The MOHW is a key stakeholder as the ministry in charge of the following:

• developing national healthcare policies;
• managing the fiscal sustainability of the NHI system; and
• overseeing policy implementation.

The MOHW has issued guidelines such as the Guidelines on Non-Medical Healthcare Services (which provide guidelines on which products are medical devices and which are non-medical devices) and the Guidelines for the Use of Anonymised/Pseudonymised Medical Data, among others.

Health Insurance Review and Assessment Service (HIRA)

The HIRA reviews and assesses healthcare costs and healthcare service quality and supports NHI policies in determining medical fee schedules and drug prices. HIRA is responsible for developing guidelines that apply to the insurance reimbursement listing of digital medical services and devices.

The National Health Insurance Service (NHIS)

For drugs determined to be reimbursable, the NHIS and pharmaceutical companies negotiate drug prices after HIRA evaluation. A key factor to be considered by the NHIS is the budget impact of the addition of a new drug.

Ministry of Food and Drug Safety (MFDS)

The MFDS reviews and approves pharmaceuticals and medical devices for safety, efficacy and quality, through technological review and inspection for their manufacturing and distribution. In February 2022, the MFDS established a Digital Healthcare Regulatory Support Division, which aims to manage the review and approval of digital medical devices.

Updates on Regulatory Authorities

On 16 March 2023, 15 members of the Health and Welfare Committee of the National Assembly proposed the Bill on Digital Medical Products. The key contents of the Proposed Bill are as follows:

• a new definition of digital medical products'
• the establishment of a regulatory system, (for approvals, etc) related to digital medical products;
• verification of the effectiveness of digital medical products and establishment of grounds for safety management;
• the establishment of grounds to promote the development of digital medical products and support them.

On 7 October 2022, members of the Health and Welfare Committee of the National Assembly proposed the Act on Promotion of Digital Healthcare and Promotion of Utilisation of Health and Medical Data (the “Digital Healthcare Promotion Act”). The key contents of the Digital Healthcare Promotion Act are as follows:

• a definition of the concept of digital healthcare;
• the scope, method, procedure, etc, of pseudonymisation of health and medical data are prescribed by law;
• the introduction of the right to request transmission of medical data and establishment of a management system; and

• a new regulatory sandbox specialised in digital healthcare.

On 10 February 2022, eleven members of the Trade, Industry, Energy, SMEs and Start-ups Committee of the National Assembly proposed the Bill on Fostering and Supporting the Digital Healthcare Industry. The key provisions of the proposed bill are as follows:

• a new definition of the digital healthcare industry;
• an obligation on MOTIE to develop plans to support the digital healthcare industry;
• certification for outstanding digital healthcare companies and establishment of grounds for such support; and
• grounds for overseas expansion of the digital healthcare industry.

Regulatory Sandbox Programme

Since January 2019, as part of the effort to improve the regulatory environment and to encourage the development of new technology and industries, the Ministry of Science and ICT and MOTIE have adopted a Regulatory Sandbox. If existing regulations are unclear, irrational or prohibitory, the Regulatory Sandbox allows three mechanisms to address these issues.

• First – under the “Proven Exception” provision, the Regulatory Sandbox will relax a restrictive regulation under specific conditions on scope, scale, and duration.
• Second – “Temporary Approval” allows for a market-first, evaluation-later approach.
• Third – under the “Active Administrative Interpretation” mechanism, a more relaxed interpretation of existing regulations is allowed.

For reference, the Digital Healthcare Promotion Act proposed in October 2022 newly introduces a regulatory sandbox system specialised for digital healthcare. Therefore, it is necessary to keep an eye on the current trends in the system.

Other Regulations

Other recent regulatory developments include:

• enactment of the Act on Fostering the Medical Device Industry;
• promulgation of Guidelines on Specific Plans for Use of Medical Data;
• amending the evaluation standard for innovative medical technology;
• regulations on procedures and methods for designation of innovative medical devices;
• an amendment to the Guidelines on Implementation of Innovative Medical Technologies and the Guidelines on Management of New Medical Technologies Subject to Suspended Evaluation; and
• the announcement of the Guidelines and Casebooks for Non-medical Health care Services (1st and 2nd).

Regulating the Practice of Medicine

The MSA stipulates that only HCPs are permitted to conduct medical services and such HCPs may only carry out medical services for which they have licences. Providing medical services without a licence is strictly prohibited. However, the current MSA does not define “medical services”, and case precedents have broadly interpreted its meaning (eg, the provision of tattoo services in Korea is deemed to be the provision of medical services).

Therefore, providing some form of (even perfunctory) diagnosis service to customers (for example, using mobile phone applications) can be deemed as providing medical services. This has been controversial for insurance companies that have been attempting to use big data to provide consumers with a statistical analysis of their health (eg, life expectancy, chances of being diagnosed with a particular disease).

Telemedicine

The laws regulating telemedicine have been temporarily relaxed in light of the COVID-19 pandemic. However, this is only temporary and the prohibition of telemedicine under the MSA will remain after the pandemic. See 1.5 Impact of COVID-19 and 7.2 Regulatory Environment for more details.

Prohibition of Provision of Economic Benefits to HCPs

The Pharmaceutical Affairs Act (PAA, applicable to pharmaceutical companies) and the Medical Device Act (MDA, applicable to medical device companies) both explicitly prohibit the provision of economic benefits to HCPs for the purposes of promoting sales. “Economic benefits” is interpreted broadly and, thus, providing meals or drinks (or paying for other forms of entertainment for HCPs) are deemed prohibited per the above statute.

There are attendant regulations to the PAA and MDA which provide for certain safe harbours regarding the provision of economic benefits to HCPs.

Administrative Sanction Procedure

In an administrative enforcement action, companies are provided an opportunity to present their defence before an administrative decision is rendered. Companies may also challenge the administrative decision (administrative fine, corrective order, etc) by filing a lawsuit with the administrative court under the Administrative Litigation Act, or by initiating an administrative appeal with the general court system under the Administrative Appeals Act. Companies charged with criminal violations of relevant statutes can proffer defences through the criminal trial process. The procedure for administrative cases is nearly identical to that of civil cases:

• a complaint is filed and served upon the defendant;
• arguments are made thereafter in the answer, reply brief, and other rebuttal briefs; and
• evidence is examined at hearings and a judgment is rendered.

A final decision on the matter can be, in general, expected six months to a year following the initial filing.

Liability Exemption Based on the Compliance System

Companies can be exempt from liability if they are able to prove that they had a robust compliance system, and that any wrongdoing by an individual of the company was a remote event. Such compliance measures include:

• strict internal regulations;
• rigorous oversight by the legal/compliance teams;
• emphasis on compliance by the management; and
• severe disciplinary sanctions against employees/executives who engage in wrongdoing.

Thus far, however, the Korean government has been strict in exempting companies from liability based on the existence of strong compliance systems.

There are several other regulatory agencies involved in digital healthcare including the following:

• MOTIE, which seeks to nurture and develop new industries, such as the digital healthcare industry;
• the Ministry of Science and ICT, which seeks to further develop IT technology;
• the Korea Communications Commission, which enforces regulations on information and telecommunication services; and
• the Personal Information Protection Commission, which aims to ensure that the personal information on Korea’s citizens is fully protected.

A certain tension exists between such regulatory bodies and the MOHW, whose role is to regulate the Korean healthcare sector. For example, MOTIE desires to actively incentivise and promote the digital healthcare industry, whereas the MOHW seeks to slow the process down until it is certain that any new technology is not a threat to the health of the citizens.

For instance, the Bill on Fostering and Supporting the Digital Healthcare Industry, which is currently being reviewed by the National Assembly, foresees that products/platforms used for medical services would be managed by MOTIE. At the same time, the PAA and MDA are both under the purview of MOHW and, thus, the MOHW renders the ultimate decision on whether a new digital healthcare products and/or platforms should receive marketing authorisation (if the product is deemed a medical device). Inevitably, there could be conflict between these two agencies.

Furthermore, the Ministry of Science and ICT may become a major regulatory body when it comes to healthcare technologies involving AI. On February 14, 2023, a subcommittee of the National Assembly’s Science, ICT, Broadcasting, and Communications Committee passed a proposed Act on the Promotion of the AI Industry and a Framework for Establishing Trustworthy AI (the “AI Act”). The proposed AI Act designates certain types of AI used in direct connection with human life and safety as “high-risk AI”, requires that such high-risk AI achieve a certain level of trustworthiness, and proposes certain notice requirements. If the AI Act is enacted, AI systems used in medical devices may be categorised as “high-risk AI” and the Ministry of Science and ICT will be another authority competent to regulate in this area.

There are no definitions for “preventative care” or “diagnostic care” under Korean law. However, preventative care generally refers to medical check-ups (where the general health of a person is analysed to confirm/prevent any diseases), while “diagnostic care” is generally used to treat diseases where symptoms already exist.

One of the main regulatory schemes that apply to preventative/diagnostic care is the NHI system. South Korea operates a compulsory NHI system that provides coverage for all residents, and primarily comprises general health insurance and a medical aid programme for low-income families. The MOHW oversees the NHI system and is responsible for setting healthcare policies. The MOHW also supervises the following agencies:

• the NHIS, which operates the NHI system and serves as the insurer; and
• the HIRA, which is responsible for assessing reimbursement claims submitted by medical institutions.

While the majority of Koreans subscribe to some form of private health insurance, this is in addition to the NHI system; private health insurance cannot duplicate or replace the NHI system. The NHI system provides comprehensive medical coverage for designated medical treatments.

In this regard, President Suk-Yeol Yoon’s administration has made various pledges under the slogan “the State is responsible for essential medical care.” Specifically, the new administration has publicly stated that the scope of the State’s responsibilities in various areas of essential medical care will be expanded to include:

• securing essential medical facilities, such as emergency rooms, etc;
• mitigating public pain caused by medical expenses (regardless of the type of disease) by expanding support for catastrophic medical needs; and
• expanding various public vaccination programmes.

Various factors have contributed to the increased use of preventative care. These include:

• the development of digital healthcare products (such as wearable devices to check daily exercise routines, glucose levels, etc);
• the increase in life expectancy and the desire for people to stay healthy throughout their lifetime;
• government promotional actives (such as advertisements and policies aimed at ending smoking); and
• overall societal understanding that preventative care would contribute to the overall cost savings for the individual and the state.

Such trends are expected to continue in the future.

Wellness and fitness data is first and foremost subject to the regulations of the Personal Information Protection Act (PIPA), which prescribes comprehensive regulations on the processing and handling of personal information. Stricter restrictions are imposed on healthcare-related data which is considered “sensitive data”. Products which provide wellness and fitness data may also be deemed “medical devices” by the MDA and would, therefore, require prior marketing authorisation.

No separate laws regulate an individual’s data where such data is a combination of data regulated under healthcare regulatory regimes and data regulated under another or no regulatory regime; there are, however, certain practical constraints on how such data is accessed. For example, there is no separate centralised database system where a patient’s medical records from different hospitals are gathered and reviewed. There have, therefore, been discussions on establishing a national healthcare database (My HealthWay) which would collect all the medical data of individuals and allow them to access such data whenever and wherever they wished. See 1.4 Emerging Legal Issues (Use of Medical Data) for further discussion.

Meanwhile, as explained in 1.4 Emerging Legal Issues, an amendment of the Medical Services Act has been proposed to introduce the “right to request the transmission of medical information to a third party” to medical institutions.

In Korea, judges and courts are not able to make laws (ie, the concept of case law does not exist in Korea). Court precedents do provide strong guidance, but no such decisions have been made with respect to digital healthcare.

There are no current or proposed regulations specifically addressing preventative healthcare. Instead, all relevant legal issues are addressed by general laws such as the MDA, PIPA, and the Product Liability Act (PLA), etc.

Nevertheless, relevant bills such as the Digital Healthcare Promotion Act, the Digital Healthcare Promotion Act, the Digital Medical Products Act, and the AI Act are currently being reviewed by the National Assembly. Except for the AI Act, these acts seek to establish stronger legal grounds for the government’s efforts to help support and foster the digital healthcare industry. For more information, please refer to 2.1 Healthcare Regulatory Industries. For the AI Act, please refer to 3.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies.

Provision of Medical Services by Non-HCPs

The MSA stipulates that only HCPs are permitted to provide medical services and such HCPs may only carry out medical services for which they have licences. As explained in 2.3 Regulatory Enforcement, providing medical services without a licence is strictly prohibited and providing some form of (even perfunctory) diagnosis services to customers (eg, on mobile phone applications) can be deemed as providing medical services.

This has been controversial matter for IT companies that attempted to use digital healthcare tools (eg, to provide consumers with a statistical analysis of their health, life expectancy, chances of being diagnosed with a particular disease). Accordingly, whenever a new digital healthcare service is developed the relevant company must be careful to ensure that the service provided is not a “medical service” as defined in the MSA.

Broad Definition of “Medical Devices”

The MDA governs the management of medical devices, including manufacturing, importation, sale and use and public health issues associated with the devices. The MDA defines “medical device” as “an instrument, machine, device, material, software, or any other similar product [...] used for the purpose of [...] diagnosing, curing, alleviating, treating or preventing a disease” in humans or animals.

As the definition is somewhat ambiguous (and without much additional detailed guidance), the MFDS tends to interpret the definition broadly. For example, the MFDS has ruled that “computer aided detection and diagnosis software” and “software that efficiently checks, analyses, transmits and prints medical images and treatment information in the field of radiation oncology” are medical devices under the MDA. The MFDS has further stated that software that assists and supports clinical decision-making by HCPs is a medical device. If a product constitutes a medical device, the company will need to receive a market authorisation which will require, among other things, clinical trial data to be submitted to the MFDS.

Overseas Transfer of Personal Information

Numerous multinational companies with no relevant resources in Korea often require assistance from their affiliates abroad. However, the MSA provides that “[n]o one may disclose, alter, or destroy any personal information stated in an EMR without a justifiable reason”. Accordingly, transferring medical records to a third party outside a medical institution is, in principle, illegal in Korea. There are exceptions, but these have very strict requirements.

Additionally, national and public medical institutions cannot store their data (eg, personal information or EMRs) overseas when using a commercial cloud computing service. National and public medical institutions must use a commercial cloud computing service that is certified under the Cloud Security Assurance Programme (CSAP), and in order to obtain such certification, the cloud system and hosted data must be physically located in Korea.

Meanwhile, under the amended PIPA, which will take effect on 15 September 2023, a personal information controller that is not an online service provider (OSP) is required to prepare procedures for overseas transfer, including the consent of the data subject, in case of overseas transfer of personal information. Consent can be waived only in the case of overseas outsourcing or storage of personal information when it is necessary for the execution and performance of an agreement with the relevant data subject. Therefore, when multinational companies transfer personal information, such as patient information, to their overseas affiliates, they must obtain separate consent for the overseas transfer, and in the case of overseas outsourcing/storing for the purpose of execution and performance of an agreement, they must disclose the details in their privacy policy, etc.

The development of 5G, AI, machine learning and subsequent application of such technologies to wearable devices have contributed to the development of the “internet of medical things” (IoMTs). Such technologies have had a particularly strong impact on preventative medical services (eg, monitoring blood pressure, glucose levels).

The use of such products by individuals and hospitals, however, has been somewhat limited. This is because such products often constitute medical devices which would require marketing authorisation. Furthermore, the data collected by such products should be sent directly to medical institutions, which could cause regulatory issues concerning personal information protection. Such regulatory hurdles will need to be addressed in the near future to ensure innovative IoMTs can be fully utilised.

If an adverse healthcare outcome is caused by a fault attributable to an HCP, the Civil Code and Criminal Code will apply. In such cases, the HCP will be liable for the harm caused to the patient and may also be subject to criminal liability if there is bodily harm and the HCP was negligent. The HCP will need to argue that they were not negligent to avoid both such liabilities.

If an adverse healthcare outcome is caused by a medical device or drug, the manufacturer of the device or drug can be held liable.

Civil Liability

According to the PLA, manufactures and sellers of products will be liable for damages caused by a “defect in a product” which is categorised as a manufacturing defect, design defect or warning defect (where sufficient warning was not provided). Under the PLA, it will be presumed that the product was defective at the time of supply and that the defect caused the damages if a victim is able to prove the following:

• damages were sustained while the product was being used normally as intended;
• the damages occurred from a cause that originated within the boundaries controlled by the manufacturer; and
• the damages would not normally occur in the absence of a defect.

A manufacturer may be exempt from product liability claims in the following circumstances:

• the manufacturer did not supply the product;
• the alleged defect could not have been discovered by scientific or technological standards available at the time the product was supplied;
• the alleged defect was caused by the manufacturer’s compliance with standards mandated by laws in effect at the time the product was supplied; or
• with respect to suppliers of raw materials or parts/components, if the alleged defect was caused by the purchasing manufacturer’s specifications regarding the design or manufacture.

Criminal Liability

According to the Criminal Code, the manufacturer of a medical device/drug could be criminally liable if the product causes bodily harm to the victim and the manufacturer was negligent in causing a defect which caused such bodily harm. The manufacturer in this instance will need to prove that it was not negligent.

All medical information stored in clouds or local computers are subject to cyber-attacks. Such risk has resulted in the growth of cybersecurity IT companies, as well as strict laws and regulations.

For example, when applying for marketing authorisation for a medical device which has telecommunication functions, strict cybersecurity protection measures are required. For example, the ISO 14971 is applied to evaluate the risk and the medical device must be capable of encrypting data when transferring such data; logs must also be created for all relevant events.

Furthermore, medical institutions must maintain strict regulations pertaining to their equipment and facilities that store and process medical data. Such requirements are more stringent when medical institutions want to store such data on servers located outside the medical institution.

The distinction between medical devices and non-medical devices for products that provide diverse healthcare related services is still not entirely clear. For example, if a product is not just a wellness product, but rather acts to diagnose or treat diseases, the product will be categorised as a medical device, and thus, will require marketing authorisation. If the product is not considered to be a medical device, it will only require other minor, electronics related approvals. While the government has been working to issue guidelines to make the distinction clearer, the boundaries are still quite unclear.

As described in 4.5 Challenges Created by the Role of Non-healthcare Companies, the MSA only allows HCPs to provide medical services. Accordingly, if a particular service is not a medical service, but rather, a “wellness management service”, such a service can be provided by non-HCPs outside of medical institutions. The boundaries of this distinction, however, are also unclear. The MOHW has issued guidelines to help elucidate the boundaries, but there is still much controversy.

All such issues are handled mainly by the MOHW.

According to the Digital Treatment Devices Approval and Review Guideline, software as medical device technologies (SaMDs) are defined as:

• “a medical device that is not dependent on hardware;
• has a function that meets the intended use of the medical device; and
• consists solely of independent software”.

As a medical device, the marketing authorisation and management of SaMDs are handled by the MFDS. SaMDs, as with other medical devices, are categorised into four different classes, depending on the level of risk posed to the patients by such devices.

Similarly to other medical devices, if SaMDs are upgraded to include new features or functions, additional authorisation will need to be obtained. Simple upgrades to fix bugs (or simple patch updates) will not require additional authorisation (for AI/machine learning-based SaMDs, please see below).

Whether a product uses AI and machine learning will not affect whether it falls into the category of a medical devices. For more information on the definition of medical devices, please refer to 4.5 Challenges Created by the Role of Non-healthcare Companies. If a product uses AI/machine learning and falls into the category of a medical device, the party applying for the marketing authorisation will need to disclose the relevant algorithm.

The question arises as to whether AI/machine learning-based SaMDs require additional marketing authorisation whenever the AI/machine’s functions are improved due to the machine learning feature. Currently, the MFDS takes the position that, as long as the manufacturer does not advertise such enhancements due to machine learning, a marketing authorisation amendment would not be necessary. However, if a new feature or function is added, an additional marketing authorisation amendment will be required.

The biggest hurdle faced by SaMDs is receiving NHI reimbursement. The government does not yet have a system by which to manage NHI reimbursement for SaMDs, which makes it difficult for hospitals to use such products. We are hopeful that the government will soon address this issue.

Additional requirements apply to national and public medical institutions. As mentioned in 4.5 Challenges Created by the Role of Non-healthcare Companies, these institutions may only use commercial cloud computing services that are CSAP-certified. Therefore, if SaMDs is based on a commercial cloud computing services, only SaMDs that use CSAP-certified services would be available for these institutions. To obtain CSAP certification, the cloud service provider must meet strict requirements, such as data and personal localisation, physical separation of networks, and Common Criteria certification. These particularly strict requirements have been recognised as hindering foreign commercial cloud service providers from providing services to the national and public medical institutions.

Even with the temporary relaxation of relevant regulations on telemedicine in light of the COVID-19 pandemic, the government is currently not considering permitting the operation of virtual hospitals or virtual visits to hospitals. Although such services may be allowed in the future, it is difficult to confirm when this will happen.

In the meantime, medical services to residents in Korea must be provided by HCPs licensed to practice medicine in Korea. Accordingly, it is currently not possible for foreign HCPs to provide medical services to residents in Korea. Please refer to 1.5 Impact of COVID-19 for more details.

While the COVID-19 pandemic has caused the government to relax regulations regarding telemedicine, it is (as of now) only a temporary measure.

The proposed amendment to the Medical Services Act, which allows non-face-to-face treatment, was submitted to the Subcommittee on the Review of Bills of the Health and Welfare Committee of the National Assembly in April 2023, but was not passed (five amendments to the Medical Services Act that stipulate the institutionalisation of non-face-to-face treatment and one amendment to the Medical Services Act that regulates non-face-to-face treatment brokerage platforms were reviewed together). The National Assembly commented to the MOHW to come up with countermeasures, pointing out the possibility of commercialisation of medical care, institutionalisation of pharmaceutical delivery, issuing of public electronic prescriptions, whether to introduce prescriptions for ingredients, and the fact that the number of non-face-to-face treatments has not been resolved at all.

However, the MOHW has adopted and implemented a pilot project, which began on 1 June 2023, and under which non-face-to-face medical treatment is permitted to a certain extent because the previous legal basis for the temporary non-face-to-face treatment disappeared due to the loosening of COVID-19 restrictions.

Please refer to 1.5 Impact of COVID-19 for further details.

The MSA prohibits telemedicine offered directly from medical personnel to patients. On 15 December 2020, the Act on Prevention and Management of Infectious Diseases was amended to temporarily allow HCPs to provide telemedicine to patients under certain specific circumstances due to the COVID-19 pandemic. This temporarily permitted telemedicine lost its legal basis as COVID-19 restrictions were loosened, but a pilot project was adopted and implemented on 1 June 2023 permitting non-face-to-face medical treatment to a certain extent. This pilot project allows HCPs to use information and communication technologies such as wired, wireless, video communications and computers to continuously observe, diagnose, examine and provide medical services to patients outside medical institutions.

IoMTs are integrated software, devices, hardware, etc, that help HCPs monitor patients or diagnose or treat diseases. The main technology used for IoMT includes 5G networks, big data analysis, and AI.

The most important legal issues faced by IoMTs include the following.

• Medical devices – depending on what information is being collected and analysed by IoMTs, the relevant product could be categorised as a “medical device”, which would then require prior marketing authorisation.
• Provision of Medical Services – depending on what services are being provided by IoMTs (eg, analysing blood pressure, glucose level), such products could be considered to be providing medical services. This could be a violation of the MSA, as the MSA prescribes that only licensed HCPs can provide medical services.
• Personal Information – manufacturers of IoMTs must ensure that all personal information collected via the relevant products is collected in a manner that is compliant with the data privacy laws in Korea.

Meanwhile, since the recent launch of ChatGPT, various “digital assistant” services that provide medical information have been launched or are shortly to be launched in Korea. However, such services may constitute “medical practice by non-medical personnel” prohibited by the MSA.

Therefore, the digital assistant service should be limited to simply introducing materials such as standard medical guidelines that have already been disclosed, and in order to reduce the risk of violating the Medical Services Act, the service providers are advised to add a clear disclaimer to the effect that “specific medical information should be inquired of HCPs.”

Impact of 5G Networks

Since the first commercialisation of 5G networks in the world in April 2019, Korea has been rapidly distributing 5G networks. As a result, many changes are expected to take place in the digital healthcare market in Korea.

The 5G network infrastructure is spreading relatively quickly in Korea, setting the foundation for a rapid change in the digital healthcare market. The government plans to complete the establishment of 5G networks including rural areas by 2024. In addition, the government is planning to lead the 5G network era by establishing a specialised network that provides 5G services customised to the needs of various industries, including medical services.

In addition to the spread of the IoT, 5G is also bringing about many changes in hospitals. In Korea, mobile carriers (companies that provide mobile phone communication services) and hospitals are working together to build 5G smart hospitals that incorporate AI and immersive content.

More specifically, AI speakers have been installed in hospital rooms and attempts are being made to monitor patients’ biological signs comprehensively with online hospital visits by patient’s caregivers, ward dashboards and mobile devices using immersive media technologies such as holograms. Also, informatisation of medical records through AI voice recording, virtual reality nursing practice, management of the location and usage of dangerous drugs based on IoT, virtual reality healing for patients with limited mobility, and IoT hospital rooms that promote stable sleep and provide air quality checks, are being implemented.

The government has implemented 5G services in ambulances, enabling rapid data transmission between ambulances and a cloud-based platform that analyses patient information and provides instructions on first aid and hospital selection during patient transport.

5G is also making the establishment of mobile hospital infrastructures that can be used in disaster areas, etc, a reality. In May 2021, the government announced its plan to create the world’s first mobile hospital to expand healthcare services to underprivileged areas, such as disaster areas, using AI diagnostic equipment based on 5G technology. Under the plan, the government expects to develop mobile hospitals that can be operational within sixty minutes in disaster situations or in vulnerable areas.

Commercial and Contractual Considerations

Although Korea’s 5G network infrastructure environment is excellent, there are still strict regulations on certain areas with regard to digital healthcare. Therefore, it is necessary to first review whether the services to be provided are available and how the regulations could be relaxed accordingly.

In addition, even if it is difficult under the current regulations, it is necessary to examine whether the temporary permit, based on a de-regulatory sandbox system (ie, a safe harbour where companies can freely experiment new ideas and technologies, as children do with their toys in a sandbox) which was adopted in January 2019 in Korea, can be used to provide services before the regulations are relaxed.

Furthermore, it is important to clarify who would be responsible for the various licences/permits and who would be responsible for information security failures, such as the leakage of personal or medical information, etc, in executing contracts between partners such as mobile carriers and hospitals.

The collection, use and provision of personal health information may be subject to the PIPA, the MSA, and the Bioethics and Safety Act (BSA). Although the PIPA is a general law governing the processing of personal information, the MSA takes precedence over the PIPA for patient records held by medical institutions, and the BSA takes precedence over the PIPA for research on human subjects including clinical trials. In the following sections, we will explain the collection, use and provision of personal health information under the PIPA, MSA and the BSA.

Personal Information Under the PIPA

As mentioned above, the PIPA is a general law governing the collection, use and provision of personal information. Therefore, the PIPA is applicable unless other laws and regulations specifically provide for the processing of personal information.

Personal information, which is regulated by the PIPA, refers to information pertaining to a living individual that (i) can be used to identify an individual, or (ii) can be easily combined with other information to identify an individual even if such information in and of itself cannot identify the individual.

In principle, consent from data subjects is required to collect, use and provide personal information. Personal information includes not only general personal information, but also health-related sensitive information. Consent to use sensitive information should be obtained separately from other personal information. In addition, consent to the collection and use of personal information and consent to the provision of personal information to a third party must be separately obtained.

On the other hand, information that can no longer be used to identify an individual by using other information is referred to as “anonymous information,” which is not subject to the PIPA.

Pseudonymised information refers to information that cannot identify a particular individual without the use or combination of additional information to restore the original identity of the subject. Such pseudonymised information is regulated by the PIPA, but unlike other personal information, it may be used for the purpose of compiling statistics, conducting scientific research and preserving records for the public interest, without the consent of the data subject. This concept of “pseudonymised information” was recently introduced due to the need to use information in various fields including digital healthcare.

Digital Healthcare and Pseudonymised Information

To collect, use and provide personal information (which is not pseudonymised), individual consent from the data subject is required. However, in the case of pseudonymised information, if it is used for the purpose of compiling statistics, conducting scientific research, preserving records for the public interest, etc, it can be processed without the data subject’s consent. As the need to use information for research and other purposes is increasing, the use of pseudonymised information is increasing due to the difficulty of obtaining consent from data subjects.

The Personal Information Protection Committee and the MOHW have collectively published the “Guideline on Utilisation of Healthcare Data” to explain the standards, methods and procedures for pseudonymisation of individual healthcare data. For example, in the case of image information such as endoscopy, X-ray and ultrasound, if an identifier (eg, patient number or name) is deleted or masked and the Digital Imaging and Communications in Medicine (DICOM) header is deleted from the metadata, such information may be regarded as pseudonymised information.

However, the PIPA provides that pseudonymised information should not be processed for the purpose of identifying a specific individual. As information processed for personalised treatment, diagnosis, etc is subject to restoration/re-identification, it is difficult to regard such information as pseudonymised information.

Fields Subject to the MSA and BSA

The MSA takes precedence over the PIPA with respect to the records of patients held by medical institutions. In particular, if a medical institution is required to provide a third party with access to (or a copy of) the patient’s records, the MSA applies. Patient records may be provided to a third party only when they meet the strict requirements under the MSA. However, the Guidelines for Utilisation of Healthcare Data explain that the PIPA, not the MSA, applies to medical records and pseudonymised information that cannot be used to identify a specific patient. Thus, institutions may consider using pseudonymisation when using such medical records/information for digital healthcare.

The BSA applies to studies on human subjects, including clinical studies. Under the BSA, a researcher may provide personal information after deliberation by the Institutional Review Board if the researcher obtains written consent from the data subject.

In addition, in order to provide such personal information to a third party:

• all or part of the personally identifiable information must be replaced with the relevant agency’s unique identification code; or
• consent to the provision of personal identifiable information from the data subject must be obtained.

Leakage of Personal Information

Regulations on personal information leakage and data breach are set forth in the PIPA. If personal information is leaked due to a failure to take necessary measures to ensure the safety of the information, imprisonment of up to two years or a fine of up to KRW20 million may be imposed on the violator. In addition, an administrative fine of up to 3% of the sales related to the violation may be imposed if the personal information processor is an IT service provider (digital healthcare is likely to fall into this category).

However, under the amended PIPA, which will take effect on 15 September 2023, the criminal sanctions will be abolished. Instead, the violator may be subject to an administrative fine not exceeding 3% of the total revenue (less the revenue unrelated to the violation), unless the violator has fully implemented the required measures to prevent leakage of personal information.

On the other hand, a data subject may claim for damages if they have suffered injury due to the personal information processor’s leakage (if it is difficult to specify the specific amount of damages, they may claim for up to KRW3 million). If personal information is leaked due to wilful misconduct or gross negligence of the personal information processor, the processor may be held liable for punitive damages of up to three times the amount of damages to the data subject. Under the amended PIPA, punitive damages are increased to up to five times the amount of damages to the data subject.

Meanwhile, in relation to the fields covered by the MSA, if an HCP divulges another person’s information that they have obtained in the course of performing their duties or violates the restrictions on the provision of such information to a third party, they may be subject to imprisonment of up to three years or a fine of up to KRW30 million. However, the violator cannot be punished if no complaint is filed.

In addition, in fields covered by the BSA, a person who divulges or misappropriates confidential information may be subject to imprisonment for up to three years (a corporation or representative may be subject to a fine of up to KRW50 million pursuant to the vicarious liability provision), and a person who provides treatment information, including genetic information, to a third party may be subject to imprisonment of up to two years or a fine of up to KRW30 million.

The Concept of AI

There is no formalised agreement on whether AI in the healthcare sector refers to “Artificial Intelligence” or “Augmented Intelligence.” However, as AI is used to support and assist HCPs in making decisions on medical treatment, prescription and medication, it is reasonable to view it in the healthcare sector as “Augmented Intelligence” rather than “Artificial Intelligence”.

Utilisation of Personal Health Information for the Development of Machine Learning Algorithms

The collection, use and provision of personal information through machine learning algorithms are no different from the collection, use, and provision of personal information described in 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information. Accordingly, under the PIPA, in order to collect, use and provide personal information that is not pseudonymised, consent from the data subject must be obtained.

In the case of pseudonymised information, if it is used for the purpose of compiling statistical data, conducting scientific research, preserving records for public interest, etc, it may be processed without the consent of the data subject.

When collecting information through machine learning algorithms, it will be difficult to obtain individual consent from the data subject. Therefore, whether the pseudonymised information can be collected and used would be the key issue.

In general, machine learning in the healthcare industry is used for the following purposes:

• medical and health institutions – to diagnose, predict, and treat patients’ diseases and identify and predict the spread of infectious diseases;
• pharmaceutical companies – to improve the efficacy and accuracy of the new drug development process; and
• medical device companies – to develop various diagnostic systems and support personal healthcare services.

Of course, its functions are not limited to the above-mentioned categories, and it may be used for various other purposes.

Risk of Cyber-Attacks and Misuse/Abuse of Sensitive Information

Personal health information constitutes sensitive information and may be vulnerable to misuse and cyber-attacks. In particular, medical information retained by medical institutions may be used for various purposes, and there is a risk that such sensitive information could be hacked. For this reason, the MSA requires that the MOHW be notified when medical information is leaked due to electronic infringement of medical records.

In addition, personal genetic information may be at risk of misuse and cyber-attacks because such information may contain information about not only specific individuals, but also third parties such as their parents, ancestors, siblings, descendants and other relatives. For these reasons, the Guidelines for the Utilisation of Healthcare Data provide stricter limitations on the pseudonymisation of genomic information.

Centralised Electronic Health Record Computer System

In Korea, due to the lack of standardisation of EMRs, the utilisation rate of EMRs by medical institutions is low. Accordingly, the MOHW is pursuing a project to standardise EMRs in hospitals and clinics, but the project has not yet achieved any notable results. If a standardised EMR system is implemented, medical data scattered across individual medical institutions can be utilised to the full extent permitted by law. Consequently, the quality of medical data could be improved at a national level and the pharmaceutical and medical device industries could also be developed.

Natural Language Processing and the Healthcare Field

Natural language processing is understood to be AI that helps computers understand, interpret and manipulate human languages. In the field of healthcare, it will be essential in processing and analysing various physicians’ handwritten records, prescriptions, clinical trial data and image/voice data. The development of AI with natural language processing capabilities will make it possible to use personal healthcare information for various purposes as explained earlier in this section.

The amended PIPA introduces the right of data subjects to refuse or request an explanation of decisions made through the processing of personal information via a fully automated system (including systems applying AI technology) if such automated decision significantly affects the rights or obligations of the data subject. This provision, which will enter into force on 15 March 2024, is similar to Article 22 of the EU’s General Data Protection Regulation (GDPR).

The biggest hurdle faced by companies developing new digital healthcare technologies is the slow-changing regulatory environment. Because many of the innovative digital technologies are not permitted under the current laws and regulations (or fall into grey areas), many such companies are not able to aggressively invest in new, innovative technologies.

This issue becomes particularly apparent with technology companies that seek to engage in the digital healthcare industry, but have not previously done so (ie, they lack experience regarding the regulatory environment). Accordingly, such companies often times work in co-operation with existing medical institutions, or acquire other medical device companies, etc.

In order for a medical institution to support digital healthcare, including the fields of telehealth, machine learning, the IoT and data transmission, the institution needs to digitise and store medical records using cloud services, depending on the type of service.

In this regard, the Korean government introduced an EMR system certification in 2020 so that medical data of hospitals can be stored in cloud services.

EMR certification is divided into “product certification” of the EMR system, granted to self-developed or commercial software products of medical institutions utilising medical data, and “certification of use” granted to medical institutions adopting such software. Medical institutions can efficiently operate the EMR system by obtaining the certification and using cloud services that meet the EMR certification requirements instead of their own IT facilities.

The EMR certification standard verifies whether:

• the network access in the management area of the cloud computing service providers, the service area of users, and the service area between users are separated;
• a dualised network (line, internal network configuration route, router, etc) for each section of the network is configured so that services can be provided without interruption;
• the product meets the requirements of the National Intelligence Service, such as Common Criteria certification, when introducing a product with information protection and security functions; and
• the physical location of the EMR system and its backup equipment is limited to Korea.

Some in the industry are of the opinion that these requirements should be relaxed, but the government has not announced any specific intention to do so. It remains to be seen whether these requirements will be relaxed in the future.

Digital healthcare is an area where medical information and IT are combined and where issues regarding patents, copyright and trade secrets can intersect.

If a device or method that provides digital healthcare is defined as an invention it can be protected by a patent. In addition, software or computer programs are often used in digital healthcare technology. Although business methods and processes may be protected through patents, the software itself may be protected by copyright from the date of creation.

Alternatively, if the owner of the information or data does not want it to be disclosed, they may wish to protect it as a trade secret. Information may be protected as a trade secret as long as the following requirements are met:

• it is of a non-public nature;
• secrecy is maintained; and
• it has useful economic value.

In the case of data and databases used in machine learning, these can be protected as compilation works under the Copyright Act or as trade secrets. Moreover, the recent amendment to the Unfair Competition Prevention and Trade Secret Protection Act has additionally listed an act of unfairly using or disclosing another person’s data as an act of unfair competition. Thus, it is possible to seek remedy under the above Act.

Currently, there is a global controversy over the ownership of inventions created by AI and whether patents should be granted for those inventions, with countries having differing opinions. However, most countries are taking the position of not recognising AI inventions since an AI is not a “natural person.” Korea is taking a similar position.

Since patents, trade secrets, and copyrights are the main issues in the field of digital healthcare, the how to obtain IP rights, the protection period and enforcement are explained below.

Obtaining IP Rights

Patents need to be separately registered through filing a patent application.

Trade secrets do not need to be filed but must meet the following three requirements:

• be non-public in nature;
• maintain secrecy; and
• be of economic value (Article 2, subparagraph 2 of the UCPA).

Copyright protection is available from the time of creation, without the need for any separate registration process, although it is recommended to obtain copyright for enforcement purposes.

Protection Period

The protection periods are as follows:

• patent – 20 years from the filing date of a patent application;
• trade secret – no time restrictions as long as the secrecy is maintained; and
• copyright – 70 years after the author’s death (in the case of work made for hire or 70 years after publication).

Enforcement

For products and devices that can be reverse engineered, trade secrets offer little protection. In this case, it would be preferable to seek patent protection. On the other hand, for manufacturing processes where it may be difficult to prove infringement, it may be desirable to obtain trade secret protection. Copyright has the advantage of being protected without the need for any separate registration process. However, the scope of rights for a copyright tend to be narrowly construed, and if there is no intent to infringe, such as an accidental matching of expressions, there is no infringement.

Court Decision

There was a case involving a service contract for developing a picture archiving and communication system. After the contract was terminated, the service provider illegally obtained the program source code owned by the contractor. In this case, the court ruled that there had been copyright infringement and misappropriation of trade secrets.

In addition to the intersection of IP rights in digital healthcare, multiple IP owners may be involved. Thus, each of the IP rights and each owner involved should be identified in advance of making a licence agreement. Thereafter, it is necessary to set the licence scope tailored to the characteristics of each IP right and to set a separate licence agreement(s) with each owner.

If the digital technology is the result of a joint development, there are legal and practical restrictions on transfer, pledge, licensing, etc. Thus, it is desirable to reflect these in the licence agreement. Moreover, if medical data needs to be used, strict privacy issues must be addressed. Thus, it is advisable to check whether there are any restrictions on the use of such data.

According to the Invention Promotion Act of Korea, if an HCP/inventor invents an item, the right to the invention is inherently vested in the inventor, provided, however, that university or healthcare institution may acquire the right to the invention by contract or employment rules. Most university or healthcare institutions have contracts or employment rules providing for the assignment of an invention to the employer.

There are occasions where one inventor belongs to university and healthcare institutions at the same time and, in principle, the ownership of rights is determined based on the interpretation of the relevant contract.

In case of a joint development agreement, it can generally be divided into (i) research conducted with government funding, and (ii) research conducted without any government funding. In the case of government funding-based research, relevant government ministries usually provide standard guidelines on the ownership of IP rights, but in the case of a joint development, they generally require ownership sharing.

In the case of joint research by private entities, it may differ on a case-by-case basis, depending on the specific terms of the agreement. Usually, private companies want to have sole ownership of inventions coming out of R&D, but in some cases companies may share inventions in consideration of good long-term relationships (such as with doctors or professors).

In the case of IP rights arising as a result of joint development, there is a provision directly regulating the co-ownership relationship both in the Patent Act and the Copyright Act. However, in the case of trade secrets, there is no relevant statutory provision, but there are principles recognised in the practice as explained below. Therefore, it is necessary to keep these issues in mind when executing the relevant agreement.

Patent

A co-owner may use a patented invention without the consent of the other co-owners, but the consent of the other co-owners is required for a share transfer or pledge (Article 99 of the Patent Act). Moreover, for in service inventions, legally the default is that ownership of the invention resides with the inventor. Thus, transfer of ownership agreements is needed.

Trade Secrets

Trade secrets may be used without the consent of other co-owners. However, the consent of co-owners is required in the event of a share transfer or pledge (there is no separate provision but the co-ownership provision under the Civil Act has been applied in court precedents).

Copyright

The copyright of a joint work can be exercised only with the agreement of all the other co-owners. Any transfer or pledge of shares requires the consent of the other joint authors and the profits from the use of a joint work shall be distributed according to the degree of contribution to the joint creation (Article 48 of the Copyright Act).

There are no specific theories being discussed pertaining to liabilities arising from decisions based on digital health technologies.

The primary party liable to damages incurred to patients would be the HCPs. If the HCPs are able to prove that they did not intentionally (or by negligence) cause damages to patients, such HCPs would not be responsible for the damages caused. Whether HCPs would be considered to be “negligent” if they had engaged in treatment based on information provided by AIs is a legal area that needs to be further researched.

If, however, the digital health technology in question has a fault, then the manufacturer of such technology could be liable to the patients, according to the PLA (which levies strict liability on manufacturers of products).

There are no specific laws which address the liability of third-party vendor’s products or services that cause harm to healthcare institutions in the context of supply chain disruptions or as a vector for cybersecurity attacks, etc. Any civil liability, for example, would be addressed primarily by the Civil Code (eg, if a party defaults on its obligations to a contract, that party would compensate for the damages). It should be noted, however, that the scope of such liability can (in principle) be limited by the terms of the agreement between such parties.