“Digital healthcare”, “digital medicine” and “digital therapeutics” refer to the integration of traditional healthcare into the digital environment. The core technologies allowing for this digital transformation include the internet of things (IoT), cloud computing, sensors, big data and artificial intelligence (AI).

Korea has the world’s most developed 5G network and IT technology, and is a leading country in the use of image archiving communication systems and electronic medical reports (EMRs) in hospitals. These make Korea the optimum environment for digital healthcare to flourish. Accordingly, numerous IT companies, including start-ups, actively pursue the advent and development of digital healthcare in Korea.

Nevertheless, Korea’s digital healthcare industry is relatively incipient due to regulatory hurdles. Typical regulatory obstacles concern restrictive views on:

• telemedicine;
• the use of medical information;
• cloud storage;
• genetic information for customised medical care;
• anonymisation and pseudonymisation of medical information as big data; and
• insurance reimbursement listing of digital technology.

The current Yoon administration, however, acknowledges these regulatory hurdles and is actively addressing these challenges through regulatory reforms and support R&D investment as part of its national agenda to establish Korea as a global centre for bio-digital health.

For example, in December 2023, the government launched the Biohealth Innovation Council as the central co-ordinating body to bring together the public and private sectors to drive discussions and initiatives towards achieving key objectives. These objectives include developing a plan for the operation of the council and for the R&D investment in biohealth, identifying strategies to remove regulatory barriers hindering innovation, and implementing strategies to foster physician-scientists.

The expansion of digital healthcare services and products as a result of these regulatory improvements is expected to bring about various changes. Healthcare professionals (HCPs) will be able to provide new, innovative healthcare services to patients to prevent or manage diseases, while patients will gain access to new healthcare services not bound by time or space.

Definition of Digital Health

Currently, there is no definition of digital health provided in local law. However, the upcoming Digital Medical Products Act (DMPA), which is set to take effect in January 2025, will include a definition on “digital medical products”, which encompasses digital medical devices, digital convergence drugs, and digital medical/health support devices. Among them, digital medical devices are defined as “medical devices to which advanced technologies such as intelligent information technology, robot technology, and information and communication technology are applied, and which are used for the purpose of diagnosing and treating diseases”.

Definition of Digital Medicine

Currently, there is no definition of digital medicine provided in local laws. However, the term is generally used to mean providing personalised drugs and healthcare services by collecting and analysing medical data. All devices used for such purposes, however, are generally categorised as medical devices (see below).

Definition of Digital Therapeutics

There is currently no definition of digital therapeutics provided in local law. However, according to the administrative guidelines issued by health officials, the government takes the position that digital therapeutics is a form of “medical device” – ie, a software as a medical device (SaMD) that provides patients with evidence-based therapeutic intervention for prevention and treatment of a medical disorder or disease.

Meanwhile, according to the DMPA, a “digital convergence drug” is defined as a product that combines a pharmaceutical product with a digital medical device or a digital medical/health support device, and its main function is to qualify as a pharmaceutical product.

Artificial Intelligence and Clinical Decision Supporting Systems

One of the most important technologies enabling the growth of digital healthcare and digital medicine is the advent of AI and clinical decision-supporting systems. Digital healthcare, which uses AI for example, includes the development of software which not only provides information on the best available treatment options based on real-world data, but also helps in the diagnosis of diseases. For example, software that reviews computed tomography and magnetic resonance images identifies diseases at a much faster rate and higher accuracy.

Big Data and Genetic Analysis

Next-generation sequencing allows for the analysis of genetic information which helps predict the probability of certain diseases in individuals.

In addition to existing laparoscopic surgery, robotic medical devices are used in areas ranging from orthopaedic surgery, such as artificial joint insertion, to surgeries such as cholecystectomy.

Other key technologies include companion diagnostics, complementary diagnostics, telemedicine services, direct-to-customer digital healthcare technology and wellness products.

Telemedicine Services

In Korea, telemedicine is, in principle, prohibited, as the Medical Services Act (MSA) states that the practice of medicine must be conducted physically within a medical institution. However, as of May 2024, it is temporarily allowed. See 7. Telehealth for more details.

Use of Medical Data

In 2021, the government established the “My Healthway” project to create a platform that aggregates individuals’ personal health records from various sources and with the individual’s consent, shares the data with other institutions with their consent. However, medical institutions are currently limited in their ability to transfer personal medical data to a third party, even with the individual’s consent, unless such transfer falls under the specified exceptions in the MSA.

To address this issue, currently pending in the National Assembly (NA) are proposed amendments to the MSA and the Pharmaceutical Affairs Act (PAA), which seek to establish the right to request the transmission of medical information to a third party. They would allow individuals or their representatives to ask medical institutions or pharmacies to share personal medical data, such as medical records or dispensing records, with entities that utilise the data.

Wellness Products and Innovative Medical Technologies

Wellness products refer to products used to improve daily health or to mitigate risks of chronic diseases (eg, smart watches which measure heart rates, body temperature, blood pressure, etc). In principle, low-risk wellness products are not considered medical devices under the Medical Device Act (MDA) that require marketing authorisation, although the line between wellness healthcare products and medical devices is often unclear.

The upcoming DMPA will, however, newly establish a voluntary certification regime for “digital medical/health support devices”. They are conceptually similar to wellness products, as they are defined as “instruments, machinery, devices, software or other similar products designated by the MFDS to which digital technology is applied, that are not digital medical devices but are used to monitor, measure, collect, analyse, etc, biometric signals for the purpose of supporting medical services or maintaining and improving health”. Therefore, once the DMPA takes effect, products that are currently classified as wellness products and not regulated as medical devices under the MDA may voluntarily seek the government’s certification for product registration and newly become subject to the government’s regulatory management.

The other key components of the legislation are as follows.

• Defining digital technologies to encompass intelligent information technology, robotics technology, and information and communications technology; defining digital medical products to include digital medical devices, digital convergence drugs, and digital medical/health support devices.
• Establishing a comprehensive safety management plan for digital medical products. This involves requiring manufacturers or importers of such products to obtain approval, register, or report the product with the MFDS.
• Reflecting unique characteristics of digital technology into the regulatory system. For instance, digital medical products can now conduct clinical trials outside of traditional clinical trial centres, and real-world evidence can be utilised for product approval.

Meanwhile, in May 2022, the MFDS issued administrative guidelines outlining classification standards and approval/review procedures for AI-based medical devices. Furthermore, in August 2023, the Ministry of Health and Welfare (MOHW) and the Health Insurance Review and Evaluation Service (HIRA) released guidelines to clarify the process for health insurance reimbursement of digital therapeutics and AI-embedded medical technologies. See 6. Software as a Medical Device for more details.

In line with these developments, in 2023, the MFDS approved the first two digital therapeutic devices that are developed as cognitive therapy software to combat insomnia.

Key Regulatory Agencies

Ministry of Health and Welfare (MOHW)

The MOHW is a key stakeholder as the ministry in charge of:

• developing national healthcare policies;
• managing the fiscal sustainability of the National Health Insurance (NHI) system; and
• overseeing policy implementation.

The MOHW has issued guidelines such as the Guidelines on Non-Medical Healthcare Services (which provide guidelines on which healthcare services constitute medical services) and the Guidelines for the Use of Anonymised/Pseudonymised Medical Data, among others.

Health Insurance Review and Assessment Service (HIRA)

The HIRA reviews and assesses healthcare costs and healthcare service quality and supports NHI policies in determining medical fee schedules and drug prices. HIRA is responsible for developing guidelines that apply to the insurance reimbursement listing of digital medical services and devices.

National Health Insurance Service (NHIS)

For drugs determined to be reimbursable, the NHIS and pharmaceutical companies negotiate drug prices after HIRA evaluation. A key factor to be considered by the NHIS is the budget impact of the addition of a new drug.

Ministry of Food and Drug Safety (MFDS)

The MFDS reviews and approves pharmaceuticals and medical devices for safety, efficacy and quality, through technological review and inspection for their manufacturing and distribution. In February 2022, the MFDS established a Digital Healthcare Regulatory Support Division, which aims to manage the review and approval of digital medical devices.

Regulatory Sandbox Programme

Since January 2019, as part of the effort to improve the regulatory environment and to encourage the development of new technology and industries, the Ministry of Science and ICT (MSIT) and Ministry of Trade, Industry and Energy (MOTIE) have adopted a Regulatory Sandbox programme, which addresses unclear, irrational, or prohibitory regulations using the following three mechanisms.

• The “Proven Exception” mechanism will relax a restrictive regulation under specific conditions on scope, scale, and duration.
• The “Temporary Approval” mechanism allows for a market-first, evaluation-later approach.
• The “Active Administrative Interpretation” mechanism allows for a looser interpretation of existing regulations.

The regulatory sandbox has been instrumental in helping digital health start-ups in Korea navigate the regulatory obstacles that impede the provision of digital health services. For example, the programme has allowed a number of start-ups to offer telemedicine services to Korean citizens residing overseas.  Moreover, in March 2024, the government permitted a platform company to transfer patients’ medical data in My Healthway to HCPs for telemedicine consultations.

Despite these positive outcomes, the general regulatory sandbox programme has faced criticism for its limited impact on the digital healthcare industry. One key factor contributing to this is the cautious approach that the sandbox committee tends to take when evaluating health-related products and services. Moreover, while the sandbox programme may address specific regulations, companies in the healthcare industry often encounter additional regulatory challenges that hinder their progress. To address these concerns, a bill that proposed to create a regulatory sandbox system specialised for digital healthcare – Digital Healthcare Promotion Act – was introduced to the previous NA in October 2022. 

Other Regulations

Other recent regulatory developments include:

• enactment of the Act on Fostering the Medical Device Industry;
• promulgation of Guidelines on Specific Plans for Use of Medical Data;
• amending the evaluation standard for innovative medical technology;
• regulations on procedures and methods for designation of innovative medical devices;
• an amendment to the Guidelines on Implementation of Innovative Medical Technologies and the Guidelines on Management of New Medical Technologies Subject to Suspended Evaluation; and
• the publication of the Guidelines and Casebooks for Non-medical Healthcare Services (1st and 2nd).

Regulating the Practice of Medicine

The MSA stipulates that only HCPs are permitted to conduct medical services for which they have licences. Providing medical services without a licence is strictly prohibited. However, the current MSA does not define “medical services,” and court precedents have broadly interpreted its meaning (eg, tattooing is considered a medical practice in Korea).

Therefore, providing some basic diagnostic services to customers (eg, using mobile phone applications) can be deemed as providing medical services. This has been controversial for insurance companies that have been attempting to use big data to provide consumers with a statistical analysis of their health (eg, life expectancy, chances of being diagnosed with a particular disease).

For reference, in the Guidelines on Non-Medical Healthcare Services, the MOHW states that a service is medical if it meets any of the following three criteria:

• requires medical expertise (basis for the act);
• involves diagnosis, prescription, or treatment based on the condition of the subject (nature of the act); or
• may cause harm to health and hygiene (effects and side effects).

Telemedicine

While telemedicine is, in principle, prohibited in Korea, as of May 2024, it is permitted on a temporary basis. See 7. Telehealth for more details.

Prohibition of Provision of Economic Benefits to HCPs

Both the PAA and the MDA, which apply to pharmaceutical companies and medical device companies, respectively, explicitly prohibit those companies from providing economic benefits to HCPs to promote sales. As the term “economic benefits” is interpreted broadly, providing meals or drinks (or paying for other forms of entertainment for HCPs) is considered prohibited per the above statutes.

However, attendant regulations to the PAA and MDA provide for certain safe harbours regarding the provision of economic benefits to HCPs.

Administrative Sanction Procedure

In administrative enforcement action, companies are allowed to present their defence before an administrative decision is rendered. They can also challenge the decision (administrative fine, corrective order, etc) by filing a lawsuit with the administrative court under the Administrative Litigation Act, or by initiating an appeal with the general court system under the Administrative Appeals Act. Companies charged with criminal violations can proffer defences through the criminal trial process.

A final decision can generally be expected six months to a year following the initial filing.

Liability Exemption Based on the Compliance System

Companies can be exempt from liability if they can prove the presence of a robust compliance system, and show any wrongdoing by an individual within the company was an isolated event. Such compliance measures include:

• strict internal regulations;
• rigorous oversight by the legal/compliance teams;
• emphasis on compliance by the management; and
• severe disciplinary sanctions against employees/executives who engage in wrongdoing.

Thus far, however, the Korean government has been strict in exempting companies from liability based solely on the existence of strong compliance systems.

Several other regulatory agencies are involved in digital healthcare including the following:

• MOTIE, which seeks to nurture and develop new industries, such as the digital healthcare industry;
• MSIT, which seeks to further develop IT technology;
• Korea Communications Commission (KCC), which enforces regulations on information and telecommunications services; and
• Personal Information Protection Commission (PIPC), which aims to ensure that the personal information on Korea’s citizens is fully protected.

There are no definitions for “preventative care” or “diagnostic care” under Korean law. However, preventative care generally refers to medical check-ups (where the general health of a person is analysed to confirm/prevent any diseases), while “diagnostic care” is generally used to treat diseases where symptoms already exist.

One of the main regulatory schemes that apply to preventative/diagnostic care is the NHI system. Korea operates a compulsory NHI system that provides coverage for all residents, and primarily comprises general health insurance and a medical aid programme for low-income families. The MOHW oversees the NHI system and is responsible for setting healthcare policies. It also supervises:

• NHIS, which operates the NHI system and serves as the insurer; and
• HIRA, which is responsible for assessing reimbursement claims submitted by medical institutions.

While most Koreans subscribe to some form of private health insurance, this is in addition to the NHI system and it cannot duplicate or replace the NHI system. The NHI system provides comprehensive medical coverage for designated medical treatments.

In this regard, the current Yoon administration has made various pledges to have the State responsible for essential medical care, including:

• securing essential medical facilities, such as emergency rooms, etc;
• mitigating public burden caused by medical expenses by expanding support for catastrophic medical needs; and
• expanding various public vaccination programmes.

Various factors have contributed to the increased use of preventative care. These include:

• development of digital healthcare products (such as wearable devices to check daily exercise routines, glucose levels, etc);
• increase in life expectancy and the desire for people to stay healthy throughout their lifetime;
• government promotional activities, such as anti-smoking campaigns and policies; and
• overall societal understanding that preventative care contributes to cost savings for individuals and the state’s healthcare system as a whole.

These trends in preventive care are expected to continue in the future.

Unlike medical data collected by HCPs such as EMRs, wellness and fitness data is personal health data collected by individuals (eg, through wearables), which is subject to the Personal Information Protection Act (PIPA), Korea’s primary privacy law that regulates the processing and handling of personal information. Because wellness and fitness data is health-related data, it is considered “sensitive data” under the PIPA, and is subject to stricter restrictions than other types of personal information. See 10. Data Use and Data Sharing for further discussion.

No current or proposed regulations specifically address preventative healthcare. Instead, all relevant legal issues are addressed by general laws such as the MDA, PIPA, and the Product Liability Act (PLA), etc.

Nevertheless, the new NA starting in the summer of 2024 is expected to review relevant bills such as the Digital Healthcare Promotion Act that seek to establish stronger legal grounds for the government’s efforts to help support and foster the digital healthcare industry. For more information, please refer to 2.2 Recent Regulatory Developments.

Provision of Medical Services by Non-HCPs

As explained in 2.3 Regulatory Enforcement, due to the broad interpretation of medical services, even providing basic diagnosis services to customers (eg, on mobile phone applications) can be deemed as providing medical services.

This has been a challenge for IT companies attempting to use digital healthcare tools. For example, offering consumers a statistical analysis of their health, life expectancy, or chances of being diagnosed with a specific disease could potentially fall under the category of providing medical services. Accordingly, when developing a new digital healthcare service, companies must be careful to ensure that the service offered is not a “medical service” under the MSA.

Broad Definition of “Medical Devices”

The MDA governs the management of medical devices, including manufacturing, importation, sale and use, and public health issues associated with the devices. The MDA defines “medical device” as “an instrument, machine, device, material, software, or any other similar product [...] used for the purpose of [...] diagnosing, curing, alleviating, treating or preventing a disease” in humans or animals.

Given this somewhat ambiguous definition (without much additional detailed guidance), the MFDS tends to interpret the definition broadly. For example, the MFDS has ruled that “computer aided detection and diagnosis software” and “software that efficiently checks, analyses, transmits and prints medical images and treatment information in the field of radiation oncology” are medical devices under the MDA. Additionally, software that assists and supports clinical decision-making by HCPs is found to be a medical device. The prior marketing authorisation needed for medical devices requires, among other things, clinical trial data to be submitted to the MFDS.

Overseas Transfer of Personal Information

Under the amended PIPA, which took effect in September 2023, a personal information controller that is not an online service provider must take certain necessary steps for overseas transfer of personal information, including obtaining the consent of the data subject. Accordingly, when multinational companies transfer personal information, such as patient information, to their overseas affiliates, they must obtain separate consent for the overseas transfer.

Consent may be waived for overseas outsourcing or storage of personal information that is needed for the execution and performance of an agreement with the relevant data subject, but the details of such overseas transfer must still be disclosed in the privacy policy.

Meanwhile, stricter regulations would apply to the overseas transfer of EMRs. Under the MSA, it is generally illegal to transfer medical records to a third party outside of a medical institution, as the law prohibits the disclosure, alteration, or destruction of EMRs without a valid reason. Consequently, national and public medical institutions are explicitly prohibited from storing their data, including EMRs, outside of Korea when using a commercial cloud computing service. These institutions must instead utilise a certified cloud computing service under the Cloud Security Assurance Program (CSAP), which mandates that the cloud system and hosted data be physically located within Korea. However, there is ongoing discussion around possible exceptions that may be necessary, such as when domestic medical institutions collaborate with foreign medical institutions.

The development of 5G, AI, machine learning (ML) and subsequent application of such technologies to wearable devices have contributed to the development of the “internet of medical things” (IoMTs). Such technologies have had a particularly strong impact on preventative medical services (eg, monitoring blood pressure, glucose levels).

The use of such products by individuals and hospitals, however, has been somewhat limited because they often constitute medical devices. Such regulatory hurdles need to be addressed in the near future to ensure innovative IoMTs are fully utilised.

If a healthcare technology causes bodily harm, the victim must determine whether the harm was caused by a product defect or the fault of the HCP who administered it.

Civil Liability

If the bodily harm is caused by a defect in the product, the manufacturers or sellers of the product may bear civil liability under the PLA for the defect, such as manufacturing defect, design defect or warning defect (where sufficient warning was not provided).

Under the PLA, it will be presumed that the product was defective at the time of supply and that the defect caused the damages if a victim can prove the following regarding the harm:

• sustained while the product was being used normally as intended;
• caused by something that originated within the boundaries controlled by the manufacturer; and
• would not normally occur in the absence of the defect.

A manufacturer may be exempt from product liability claims in the following circumstances:

• the manufacturer did not supply the product;
• the alleged defect could not have been discovered by scientific or technological standards available at the time the product was supplied;
• the alleged defect was caused by the manufacturer’s compliance with standards mandated by laws in effect at the time the product was supplied; or
• with respect to suppliers of raw materials or parts/components, if the alleged defect was caused by the purchasing manufacturer’s specifications regarding the design or manufacture.

Meanwhile, if an adverse healthcare outcome is caused by a fault attributable to an HCP, the HCP may be liable for the harm caused to the patient under the general Civil Code.

Criminal Liability

Criminal liability requires the showing of negligence. Therefore, if the product causes bodily harm to the victim and the manufacturer was negligent in causing the defect which subsequently caused such bodily harm, the manufacturer of a medical device/drug could be criminally liable. The manufacturer in this instance will need to prove that it was not negligent.

Similarly, an HCP can be criminally liable if the bodily harm was caused by a fault attributable to the negligence of the HCP.

All medical data stored in clouds or local computers are vulnerable to cyber-attacks, leading to the rise of cybersecurity IT firms and the implementation of strict laws.

For example, when applying for marketing authorisation for a medical device which has telecommunication functions, strict cybersecurity protection measures are required. This includes applying ISO 14971 to evaluate the risk, using data encryption for medical data transfer, and maintaining event logs.

Furthermore, medical institutions must maintain strict regulations for the equipment and facilities that store and process medical data, and even stricter regulations when storing such data on external servers.

In Korea, there is no regulatory regime that specifically addresses the IoMT. An IoMT would be subject to health regulations only if it constitutes a medical device under the MDA or a medical service under the MSA. All such issues are handled primarily by the MOHW.

According to the Digital Treatment Devices Approval and Review Guideline, SaMDs are defined as:

• “a medical device that is not dependent on hardware;
• has a function that meets the intended use of the medical device; and
• consists solely of independent software”.

As SaMDs are regulated as medical devices, the MFDS handles their marketing authorisation and management and also categorise them into four different classes depending on the level of risk they pose to patients.

Similarly to other medical devices, if SaMDs are upgraded to include new features or functions, additional authorisation needs to be obtained, while simple patch updates or upgrades to fix bugs do not require additional authorisation (for AI/ML-based SaMDs, please see below).

Whether a product uses AI and ML will not determine whether it is classified as a medical device, but if it is deemed to be a medical device, the party applying for the marketing authorisation will need to disclose the relevant algorithm.

The question arises as to whether AI/ML-based SaMDs require additional marketing authorisation whenever the AI/machine’s functions are improved due to the ML feature. Currently, the MFDS takes the position that, as long as the manufacturer does not advertise those enhancements made due to ML, a marketing authorisation amendment would not be necessary. However, if a new feature or function is added, an additional marketing authorisation amendment will be required.

The biggest hurdle for SaMDs has been NHI reimbursement. However, in August 2023, the MOHW and the HIRA enacted administrative guidelines on health insurance registration of digital therapeutics and Artificial Intelligence (AI)-embedded medical technologies. The guidelines also provide for an integrated review and assessment system that allows relevant ministries to review and assess the technology’s candidacy as Innovative Medical Devices (IMDs) in parallel. As of April 2024, a total of 50 devices have been recognised as IMDs, but only about 16 devices have applied for and passed the integrated review process to receive temporary insurance benefits. Accordingly, health insurance benefit registration will likely be the key to the commercialisation and market entry of AI medical devices in the future.

Additional requirements apply to national and public medical institutions. As mentioned in 4.5 Challenges Created by the Role of Non-healthcare Companies, these institutions can only use commercial cloud computing services that are CSAP-certified, and therefore, only the SaMDs that use CSAP-certified services. However, CSAP certification requires cloud service providers to meet strict requirements, including data and personal localisation, physical separation of networks, and Common Criteria certification. These requirements are often viewed as obstacles that hinder foreign commercial cloud service providers from serving national and public medical institutions.

Traditionally, telemedicine has had limited use in Korea’s healthcare industry due to the prohibition outlined in the MSA. However, it has gained importance in recent years, particularly during events like the COVID-19 pandemic and hospital doctor strikes, as a supplementary measure to ensure ongoing access to healthcare services during healthcare crises. See 7.2 Regulatory Environment for more details.

Going forward, telemedicine’s role is anticipated to expand and become an established part of the healthcare system, instead of being used only in healthcare crises, because the government is pushing for the institutionalisation of telemedicine.

As noted above, the MSA prohibits telemedicine in Korea, but during the COVID-19 pandemic, temporary exceptions were made to allow telemedicine for consultations and prescriptions and to be reimbursable through the NHI.

Initially, the government relied on existing provisions in the Framework Act on Public Health, the MSA, and the Act on Prevention and Control of Infectious Diseases (Infectious Diseases Prevention Act) to permit telemedicine during the pandemic. However, in December 2020, a new Article 49(3) was established under the Infectious Diseases Prevention Act, providing more permanent legal grounds for allowing for telemedicine when the healthcare crisis level is elevated to “severe.”

When the pandemic situation improved and the healthcare crisis level was downgraded to “alert”, the temporary permission for telemedicine ended but the public demand for it was evident. Therefore, since 1 June 2023, a limited pilot project has been in place to allow telemedicine for returning patients at clinic-level medical institutions who have had one or more in-person visits.

However, in February 2024, hospital doctors went on a national strike to protest the government’s plan to reform the medical industry by increasing the medical school admissions by over 50%. This has prompted the government to elevate the healthcare crisis level back to “severe”, allowing non-face-to-face medical treatment for all types of medical institutions, including hospital-level facilities, for not only returning patients but also first-time patients as long as the doctor deemed it safe.

Consequently, telemedicine service platforms, which almost had to discontinue their telemedicine services after the pandemic ended, have now resumed advertising and offering full telemedicine services. However, due to the limited and temporary legal basis and opposition from various groups such as medical associations and pharmaceutical associations, these companies continue to face uncertainty regarding their business prospects and revenue models.

As an incentive, the Korean government currently offers 130% of basic consultation and prescription drug fees to hospitals and drug stores that offer telemedicine services. The fee may be adjusted to the same level as on-site medical services once telemedicine is institutionalised.

IoMTs are integrated software, devices, hardware, etc, that help HCPs monitor patients or diagnose or treat diseases. The main technology used for IoMTs includes 5G networks, big data analysis, and AI.

The most important legal issues faced by IoMTs include the following.

• Medical Devices – depending on the purpose of the product and its risk level, the IoMTs could be considered “medical devices” under the MDA requiring prior marketing authorisation.
• Provision of Medical Services – depending on the services being provided by IoMTs (eg, analysing blood pressure, glucose level), they could be considered as providing medical services by non-HCPs.
• Personal Information – manufacturers of IoMTs must ensure that any personal information collected complies with Korean data privacy laws.

Meanwhile, since the launch of ChatGPT, various “digital assistant” services that provide medical information have emerged in Korea. However, as these services may be considered as medical practice by non-HCPs, they must be cautious not to violate the MSA by limiting the services to simply introducing already-disclosed materials such as standard medical guidelines. To minimise the risk of violation, service providers are advised to include a clear disclaimer advising users to consult with HCPs for specific medical information.

Impact of 5G Networks

Since the first commercialisation of 5G networks in the world in April 2019, Korea has been rapidly deploying and expanding its 5G networks, thereby setting the foundation for a rapid change in the digital healthcare market. In 2024, the government completed the establishment of the national 5G networks, including rural areas, and it aims to lead the 5G network era with a specialised network that provides 5G services customised to the needs of various industries, including medical services.

The advent of 5G is bringing about significant changes in hospitals, including the proliferation of IoT. In Korea, mobile carriers and hospitals are working together to build 5G “smart hospitals” incorporating AI and immersive content.

Smart hospital initiatives involve various measures, such as installing AI speakers in hospital rooms to allow for prompt response to urgent care needs; creating smart operating rooms (OR) that use real-time information on patients and OR resources; digitising medical records using AI voice recording; providing virtual reality-based nursing practice; using IoT to manage the location and usage of hazardous drugs; or providing IoT-based hospital rooms for improved sleep and air quality monitoring.

The government has also launched pilot projects to introduce 5G-enabled AI ambulances. These enable rapid data transmission between ambulances and a cloud-based platform that analyses patient information and provides instructions on first aid and hospital selection during patient transport.

Furthermore, 5G is enabling the establishment of mobile hospital infrastructures that can be used in disaster-stricken areas. In May 2021, the government unveiled plans to create the world’s first mobile hospital to expand healthcare services to underserved areas, such as disaster areas, using AI diagnostic equipment based on 5G technology. Under the plan, mobile hospitals are expected to be operational within 60 minutes in disaster situations or in vulnerable areas.

Commercial and Contractual Considerations

Using 5G infrastructure in digital healthcare could be challenging due to the additional burden of complying with telecommunications regulations.

Accordingly, when mobile carriers and hospitals negotiate to collaborate to provide 5G-based medical services, it would be crucial for them to decide who should be responsible for licences/permits and information security failures, including who would be liable for any breaches of personal or medical information.

In addition, if existing regulations limit the use of 5G infrastructure, exploring temporary permits within a regulatory sandbox system could be a solution. This system enables companies to experiment with new technologies until regulations are eased. See 2.2 Recent Regulatory Developments for more detail.

The collection, use and provision of personal health information may be subject to the PIPA, the MSA, and the Bioethics and Safety Act (BSA). While the PIPA is a general law governing the processing of personal information, the MSA takes precedence over the PIPA for patient records held by medical institutions, and the BSA takes precedence over the PIPA for research on human subjects including clinical trials. The following sections explain the collection, use and provision of personal health information under the PIPA, MSA and the BSA.

Personal Information Under the PIPA

As the general privacy law in Korea, the PIPA applies unless other laws and regulations specifically provide for the processing of personal information.

Under the PIPA, personal information refers to information pertaining to a living individual that, even if it cannot in and of itself identify the individual, can either be used to identify the individual or be easily combined with other information to identify the individual. In general, the PIPA regime requires data processors to obtain consent from data subjects to collect, use and provide their personal information, but it requires additional separate consent to be obtained for the processing of sensitive information, such as health-related information, or for the transfer of information to a third party.

However, information that can no longer be used to identify an individual, even when combined with other information, is considered “anonymous information” and is not subject to the PIPA.

Pseudonymised information, on the other hand, refers to information that cannot identify a specific individual without the use of additional information. Such Pseudonymised information is regulated by the PIPA, but unlike other personal information, it may be used for the purpose of compiling statistics, conducting scientific research and preserving records for the public interest, without the consent of the data subject, but it cannot be processed for the purpose of identifying a specific individual.

Digital Healthcare and Pseudonymised Information

The use of pseudonymised information is increasing as the demand of information used for research is growing, and it remains difficult to obtain consent from data subjects, especially in the digital healthcare sector.

The PIPC and the MOHW have jointly published the Guidelines on Utilisation of Healthcare Data to explain the standards, methods and procedures for pseudonymising individual healthcare data. For example, in the case of image information such as endoscopy, X-ray and ultrasound, if identifiers (eg, patient number or name) are deleted or masked and the Digital Imaging and Communications in Medicine (DICOM) header is deleted from the metadata, such information may be considered pseudonymised.

In January 2024, the government released an updated version of the Guidelines that expands the scope of pseudonymised information. Unlike the previous Guidelines that only permitted pseudonymisation of structured data (data stored in standardised formats, such as spreadsheets), the updated Guidelines now provide methods to pseudonymise different types of unstructured data, such as genomic data. This means a wider range of data is now available for industrial research and analysis without the need for data subject consent.

Fields Subject to the MSA and BSA

The MSA takes precedence over the PIPA for patient records held by medical institutions. In particular, the MSA has strict requirements if a medical institution needs to provide a third party with access to (or a copy of) the patient’s records.

However, the PIPA, not the MSA, applies to medical records and pseudonymised information that cannot be used to identify a specific patient. Thus, institutions may consider using pseudonymisation when using such medical records/information for digital healthcare.

The BSA applies to studies on human subjects, including clinical studies. Under the BSA, researchers may transfer personal information after deliberation by the Institutional Review Board and with written consent from the data subject. In addition, when providing personal information to a third party, institutions must either replace all or part of the personally identifiable information with a unique identification code or obtain consent from the data subject for the information transfer.

Leakage of Personal Information

The PIPA also regulates personal information leakage and data breach. Under the amended PIPA, if personal information is leaked due to a data processor’s failure to take necessary measures to ensure the safety of the information, the data processor may be subjected to an administrative fine of up to 3% of its “total revenue minus any revenue unrelated to the violation”, meaning that the data processor bears the burden of proving which revenue is unrelated to the violation. The amended PIPA no longer imposes criminal penalties for this offence.

Data processors can still be liable for civil damages for data leakage. If personal information is leaked due to wilful misconduct or gross negligence of the data processor, it may be held liable for punitive damages of up to five times the amount of damages suffered by data subjects. Also, data subjects may claim up to KRW3 million even when it is difficult to specify the amount of damages.

Meanwhile, under the MSA, if an HCP divulges someone else’s information obtained while performing their duties or violates restrictions on the provision of such information to a third party, they can face imprisonment of up to three years or a fine of up to KRW30 million. However, they cannot be punished if no complaint is filed.

In addition, under the BSA, anyone who discloses or misappropriates confidential information may be imprisoned for up to three years (a corporation or representative may be subject to a fine of up to KRW50 million pursuant to the vicarious liability provision), and a person who provides treatment information, including genetic information, to a third party may be subject to imprisonment of up to two years or a fine of up to KRW30 million.

The Concept of AI

While the term AI most commonly refers to Artificial Intelligence, it may be reasonable to view it in the healthcare sector as “Augmented Intelligence” rather than “Artificial Intelligence”, as AI is used to support and assist HCPs in making decisions on medical treatment, prescription and medication. There is no formal consensus on this point.

Personal Health Information as Training Data for ML Algorithms

To comply with the consent requirement under the PIPA, data processors must ensure they obtain consent to collect and use personal information, even when using publicly available data to train ML algorithms. Also, when using publicly available data, they must be careful not to accidentally acquire sensitive information, which is subject to stricter processing requirements.

Furthermore, under the PIPA, data processors must process personal information according to the stated purpose at the time of obtaining consent. Therefore, when using personal health information as training data for ML algorithms, data processors must ensure that the purpose of training the ML algorithm aligns with the purpose stated when obtaining consent. If the scope of use exceeds the initially disclosed purposes, they should consider pseudonymising the information and adhere to the limited purposes permitted for pseudonymised data.

Risk of Cyber-Attacks and Misuse/Abuse of Sensitive Information

Personal health information, including medical data held by medical institutions, constitutes sensitive information and may be vulnerable to misuse and cyber-attacks. For this reason, the MSA requires that the MOHW be notified in the case of medical data breach.

Genetic information may be particularly vulnerable as it may contain information not only of specific individuals, but also third parties of their relatives. For this reason, the Guidelines for the Utilisation of Healthcare Data impose stricter limitations on the pseudonymisation of genomic information.

Centralised Electronic Health Record Computer System

In Korea, due to the lack of standardisation of EMRs, the utilisation rate of EMRs by medical institutions is low. Accordingly, the MOHW has launched a project to standardise EMRs in hospitals and clinics, but progress has been limited. Once the EMR system is standardised, medical data scattered across individual medical institutions can be utilised to the full extent permitted by law, improving data quality at a national level and fostering growth in the pharmaceutical and medical device industries.

Natural Language Processing and the Healthcare Field

Natural language processing (NLP) is understood to be AI that helps computers understand, interpret and manipulate human languages. In the healthcare field, it can help with processing and analysing various physicians’ handwritten records, prescriptions, clinical trial data and image/voice data.

Similar to Article 22 of the EU’s General Data Protection Regulation (GDPR), the amended PIPA introduces the right of data subjects to refuse, or request an explanation of, decisions made through the processing of personal information via a fully automated system (including systems applying AI technology) that significantly affects the rights or obligations of the data subject. However, the key difference is that, while the GDPR generally prohibits fully automated decision-making and allows exceptions, the PIPA generally permits it with exceptions.

Meanwhile, a so-called “AI Act” is currently under review by the NA, which aims to provide a legal framework for the use of AI by requiring the AI technology to meet certain trustworthiness and ethical standards. For example, it classifies AI technologies directly connected to human life and safety, including those used in medical devices, as “high-risk” AI and imposes robust standards. It also addresses the issue of potential bias in AI and ML by requiring the government and AI business operators to ensure no “discrimination and bias” in every stage from development, manufacturing, and production of AI, and mandating the government to prepare a framework plan that includes an ethics code to safeguard against “discrimination and bias” and protect human rights.

The slow-changing regulatory environment poses the biggest challenge for companies developing digital healthcare technologies. Since many innovative technologies are not allowed or fall into grey areas under current laws and regulations, these companies cannot invest aggressively in new technologies. Due to these regulatory risks, more Korean companies are choosing to establish headquarters overseas or start their services abroad before expanding back into Korea. These regulatory issues are particularly difficult for those that are newly entering the field, so they often collaborate with existing medical institutions or acquire medical device companies to navigate this regulatory environment.

For medical institutions to support digital healthcare, they need to digitise and store medical records using cloud services. Therefore, the government introduced an EMR system certification in 2020 to allow cloud storage of hospitals’ medical data.

EMR certification is divided into “product certification” of the EMR system, granted to self-developed or commercial software products of medical institutions utilising medical data, and “certification of use” granted to medical institutions adopting such software. Medical institutions can efficiently operate the EMR system by obtaining the certification and using cloud services that meet the EMR certification requirements instead of their own IT facilities.

The EMR certification standard verifies whether:

• the network access in the management area of the cloud computing service providers, the service area of users, and the service area between users are separated;
• a dualised network (line, internal network configuration route, router, etc), for each section of the network is configured so that services can be provided without interruption;
• the product meets the requirements of the National Intelligence Service, such as Common Criteria certification, when introducing a product with information protection and security functions; and
• the physical location of the EMR system and its backup equipment is limited to Korea.

Some in the industry find that these requirements should be relaxed, but the government has no such plans. It remains to be seen whether they will be relaxed in the future.

Digital healthcare is an area where medical information and IT meet and where issues regarding patents, copyright and trade secrets can intersect.

Patent can provide protection if a device or method that provides digital healthcare is considered an invention. Although business methods and processes may be protected through patents, software may be protected by copyright from the date of creation.

Alternatively, if the owner of the information or data does not want it to be disclosed, they may wish to protect it as a trade secret.

Data and databases used in ML can be protected as compilation works under the Copyright Act or as trade secrets. Moreover, the recent amendment to the Unfair Competition Prevention and Trade Secret Protection Act (UCPA) has added the unfair use or disclosure of another person’s data as an act of unfair competition.

However, there is global debate over whether AI inventions should be granted patents, as most countries, including Korea, do not recognise AI as a “natural person”.

In digital healthcare, patents, trade secrets and copyrights are important considerations. What follows is an explanation of how to obtain IP rights, as well as the protection period and enforcement.

Obtaining IP Rights

Patents need to be separately registered through filing a patent application.

Trade secrets do not need to be filed, but under Article 2(2) of the UCPA, must meet the following three requirements:

• be non-public in nature;
• maintain secrecy; and
• be of economic value.

Copyright protection is available from the time of creation without the need for any separate registration, although it is recommended to register for enforcement purposes.

Protection Period

The protection periods are as follows:

• patent – 20 years from the date a patent application is filed;
• trade secret – no time restrictions as long as the secrecy is maintained; and
• copyright – 70 years after the author’s death or after publication for works made for hire.

Enforcement

Trade secrets offer little protection for products and devices that can be reverse engineered. In those cases, seeking patent protection is preferable. However, for manufacturing processes where infringement may be difficult to prove, it may be desirable to seek trade secret protection.

Copyright provides automatic protection and does not require a separate registration process, but the scope of protection tends to be narrowly construed. For example, courts do not find copyright infringement if there is no intent to infringe, such as an accidental matching of expressions.

When multiple IP owners are involved, each of the IP rights and each owner involved should be identified in advance of making a licence agreement. Thereafter, it is necessary to set the licence scope tailored to the characteristics of each IP right and to set a separate licence agreement(s) with each owner.

If the digital technology is the result of a joint development, there are legal and practical restrictions on transfer, pledge, licensing, etc. Thus, it is advisable to reflect these in the licence agreement. Moreover, if medical data needs to be used, strict privacy issues must be addressed. It is therefore advisable to check whether there are any restrictions on the use of such data.

Under the Invention Promotion Act, if an HCP/inventor invents an item, the right to the invention is inherently vested in the inventor, but universities or healthcare institutions may obtain this right by contract or employment rules. Therefore, most institutions have contracts or employment rules in place where inventions are assigned to the employer.

In situations where an inventor is affiliated with both a university and healthcare institution, the ownership of the right is determined based on the interpretation of the relevant contract.

Joint development agreements can generally be classified into research conducted with government funding and without government funding. For government-funded research, relevant government ministries usually provide standard guidelines on the ownership of IP rights, but for joint development projects, they generally require ownership sharing.

In the case of joint research by private entities, it may differ on a case-by-case basis, depending on the specific terms of the agreement. Usually, private companies prefer sole ownership of inventions coming out of R&D, but in some cases, companies agree to share inventions with individuals like doctors or professors in light of strong long-term relationships.

The Patent Act and Copyright Act have provisions that directly regulate co-ownership of IP rights arising out of joint development. However, there are no such statutory provisions for trade secrets, but certain principles are recognised by courts in practice, as explained below. Therefore, it is important to consider these issues when drafting the relevant agreement.

Patent

A co-owner may use a patented invention without the consent of the other co-owners, but the consent of all co-owners is required for share transfers or pledges (Article 99 of the Patent Act). Moreover, for in-service inventions, ownership belongs to the inventor by default so transfer of ownership agreements is needed.

Copyright

All co-owners of a joint work must agree for the copyright to be exercised. Any share transfer or pledge requires the consent of all joint authors and the profits from the use of a joint work shall be distributed according to the degree of contribution to the joint creation (Article 48 of the Copyright Act).

Trade Secrets

Trade secrets may be used without the consent of other co-owners. However, the consent of co-owners is required for share transfers or pledges. Although there is no specific provision in the UCPA, court precedents apply the co-ownership provision under the Civil Code.

There are no specific theories on liabilities arising from decisions based on digital health technologies.

The primary party liable to damages incurred by patients would be the HCPs. If HCPs can prove that they did not intentionally or negligently cause harm to patients, they would not be held liable. However, the extent to which HCPs would be liable for AI-enabled software or information provided by generative AI is a legal area that needs to be further researched and developed.

If the digital health technology in question clearly has a fault that caused damages, then the PLA (which levies strict liability on manufacturers of products) may apply to hold the manufacturer of such technology liable for the damages.

There are no specific laws which address the liability of third-party vendors’ products or services that cause harm to healthcare institutions in the context of supply chain disruptions or as a vector for cybersecurity attacks, etc. Any civil liability, for example, would be addressed primarily by the Civil Code (eg, if a party defaults on its obligations to a contract, that party would compensate for the damages). The terms of the agreement could potentially limit the scope of such liability.