How to Manage IT, Telecommunications Personal Data Rules and Software Regulatory Requirements in the EU and Global Environment, including Case Studies

Erik VollebregtPartnerAxon Lawyers

25th AnnualEuroMeeting

4-6 March 2013RAI, Amsterdam

Netherlands

Disclaimer

The views and opinions expressed in the following PowerPoint slides are those of the individual presenter and should not be attributed to Drug Information Association, Inc. (“DIA”), its directors, officers, employees, volunteers, members, chapters, councils, Special Interest Area Communities or affiliates, or any organization with which the presenter is employed or affiliated.

 

These PowerPoint slides are the intellectual property of the individual presenter and are protected under the copyright laws of the United States of America and other countries. Used by permission. All rights reserved. Drug Information Association, DIA and DIA logo are registered trademarks or trademarks of Drug Information Association Inc. All other trademarks are the property of their respective owners.

2

• EU political and regulatory context

• (health) data protection regulation developments

• Regulation of software as medical device

• Reimbursement, licensing

• Liability

• Case studies

Introduction

3

• eHealth Action Plan 2012 – 2020– struggles with Lisbon competences (“EU action

shall respect the responsibilities of the Member States for the definition of their health policy and for the organisation and delivery of health services and medical care.”)

• Pretty big changes in – regulation of medicinal products and medical

devices / IVDs– regulation of collection and processing of health

data

EU political background

4

• Currently in flux with General Data Protection Regulation proposal

• Horizontal approach to all data causes excessive collateral damage in healthcare sector– What we hate in marketing and social media,

we actually want in healthcare (e.g. monitoring, profiling, further processing, traceability)

Health data protection

5

• Data protection as fundamental right• EU approaches data protection from the angle of fundamental right – this means

less attention to pure internal market interests and more to data subject interests

• Definitions & scope• Implementation of Art 29 WP opinions on scope (“singling out”, unique identifiers,

pseudomisation, “reasonably likely means”)

• Consent requirements• New disqualifiers: imbalance and consent to process data and necessary for

execution of the contract

• Impact assessment• Mandatory sign-off national authorities prior to processing but no methodology /

standards and no deadlines• Impact assessment for each individual instance of processing

General Data Protection Regulation

6

• Privacy by design• Prior approval of impact assessment of each act of processing• Literally – Parliament proposes that software and devices have to be

designed and built as to enable GDPR and data subject’s rights by default• Intelligible explanation of automated processing logic

• Exemptions for processing of health data without consent• With uncertainties around concept of ‘consent’ derogations for “public health”

and “scientific purposes” become crucial• Exemptions not suited for outsourced processing in eHealth / mHealth

services and not drafted for regulatory clinical data obligations

• Technical standards• Commission can issue technical standards related to implementation of

GDPR requirements

General Data Protection Regulation

7

• Data subject’s rights• Right to correct, information, be forgotten and of erasure problematic in

clinical context

• Right to request interoperable and open source format copy of processed data

• Company burden• Mandatory privacy officer

• Large fines

• Many open ends still that are subject to implementation by implementing act or regulation by delegated act

• Commission is not obliged to use these powers and EU legislator may change the scope or revoke power, which increases uncertainty

General Data Protection Regulation

8

• MEDDEV 2.1/6 on standalone software, currently under revision

• Differences in interpretation of what software constitutes a medical device

• EN 62304 standard

• Lack of harmonised

interoperability standards

Regulation of software as MD / IVD

9

• Directive 2011/24/EU on the application of patients' rights in cross-border healthcare– Member State of affiliation shall ensure that

the costs incurred by any insured person receiving cross-border healthcare are reimbursed, if the healthcare in question is among the benefits to which the insured person is entitled in the Member State of affiliation (Article 7(1) of the Directive)

Reimbursement

10

• Directive 2005/36/EC28 on the recognition of professional qualifications does not apply to healthcare professionals providing cross-border telemedicine

• if the service provider complies with the legislation applicable to the taking up and exercise of an information society service in his Member State of establishment, he will in principle be free to provide its services in other Member States (Cross-Border Patient Rights Directive and e-Commerce directive)

Licensing

11

• Professional liability

• Contractual liability

• Defective product– Member states differ in whether e/mHealth

software is a “product” under EU Product Liability Directive (85/374)

• Network outages?

Liability

12

Case study

13

Case study

14