The health sector has been undergoing a very strong digitalization for several years, with electronic applications and connected objects in eHealth – OCS developing at an exponential rate, representing an estimated turnover of 20 billion connected objects in 2020 and more than 100,000 mobile health applications available today.
eHealth: Health applications and connected devices
For the management, R&D, legal, and marketing departments of pharmaceutical and healthcare companies, as well as start-ups and SMEs developing this type of digital tool, new issues are being imposed on them to ensure a relevant and reasoned use of digital tools: organization of the healthcare system, methods of patient care, new forms of prevention, and therapeutic education.
Through several studies, the rules for assessing compliance have emerged as a crucial issue for healthcare professionals in order to guarantee data security, device reliability, and the efficiency of the new technologies used.
Several avenues for consideration have already been explored, such as the creation of a quality and security label based on a charter outlining the fundamental principles that e-health applications and devices must respect, or co-regulation between healthcare professionals and manufacturers. The French National Authority for Health (HAS) published a best practices guide for connected health applications and devices in October 2016.
Risks inherent in eHealth and personal data
The rapid deployment of connected health devices calls for the utmost caution given the numerous associated risks.
Beyond the economic risks linked to the development of these applications and the consumer labeling (CE or DMC) of new applications and connected devices, the risks related to the misuse of health data, as well as ethical risks, remain significant. For example, several American insurers have already announced their intention to use collected personal health data to tailor their offers to their clients. Similarly, industrial risks, particularly those related to cybersecurity, currently lack reliable solutions.
From a legal standpoint, in the absence of a dedicated legal framework, there is currently no specific mechanism that takes into account the characteristics of connected devices—the variety, volume, and speed of transmissions, and the intended use of health data. In this context, new e-health applications and connected devices are subject to a very restrictive French and European regulatory framework, particularly regarding medical confidentiality, medical devices, information exchange and the processing of personal health data.
The regulatory impact of using health applications and connected devices
The legal classification of digital tools used in healthcare is a major issue, as the Public Health Code provides for several types of regulated devices:
A medical device (MD) is defined in Article L5211-1 as any instrument, apparatus, equipment, material, product (excluding products of human origin), or other article used alone or in combination, including accessories and software necessary for its proper functioning, intended by the manufacturer to be used in humans for medical purposes and whose principal intended action is not achieved by pharmacological or immunological means or by metabolism, but whose function may be assisted by such means. Software intended by the manufacturer to be used specifically for diagnostic or therapeutic purposes also constitutes a medical device; its definition is based on its intended purpose.
Telemedicine, governed by Article L6316-1, is defined as a form of remote medical practice using information and communication technologies, connecting one or more healthcare professionals with each other or with a patient. It includes several medical acts such as teleconsultation, tele-expertise, medical telemonitoring, medical teleassistance and medical response from SAMU and 15 call centers.
eHealth, mHealth: the new framework for healthcare professionals
Depending on the qualification chosen for Apps and OCS, the responsibility of the actors, the assessment of compliance with medical requirements – validity and usefulness of clinical and electronic data will be subject to assessments, management and treatment of specific risks, where only a case-by-case analysis can guarantee the best protection of their developers/distributors/users.
Regarding the processing of personal health data, several provisions apply, including the French Law for Confidence in the Digital Economy (LCEN) and the European General Data Protection Regulation (GDPR).
Its implementation is scheduled for May 2018, and it notably involves respecting the purpose for which the data is used, the relevance of the data collected, the duration of its storage, data security and confidentiality, and ensuring that the individuals concerned are properly informed.
Consequently, mobile applications and connected devices that require the hosting of health data on behalf of individuals or legal entities must also comply with the provisions of the French Public Health Code.
New for 2017 – European regulations on medical devices and in vitro diagnostic medical devices
At the European level, Regulations 2017/745 on medical devices and 2017/746 on in vitro diagnostic medical devices – the European Medical Devices and In vitro Diagnostic Medical Devices Regulations – have recently supplemented the existing framework. These regulations were adopted on April 5, 2017, initiating a transitional period of three and five years respectively for the full implementation of these new provisions.
This new regulation clarifies the roles and responsibilities of the various stakeholders, from the design of medical devices to their distribution and even beyond, through product conformity and traceability. It also introduces new responsibilities for existing regulatory bodies, such as Notified Bodies, Competent Authorities, and the European Commission.
While the core of the rules’ application remains unchanged, the regulations place particular emphasis on pre-marketing compliance and post-marketing monitoring, as well as the traceability and conformity of medical devices and in vitro diagnostic medical devices (IVDs). This translates, in particular, into stricter classification rules, which necessarily require updated CE marking documentation.
In this particularly demanding context, healthcare professionals and manufacturers must be especially vigilant in this new digital world they are entering.
