Vrije Universiteit Brussel (VUB)
interdisciplinary Research Group on
Law, Science, Technology and Society (LSTS)
Vrije Universiteit Brussel (VUB)
Interdisciplinary Research Group on Law, Science, Technology and Society (LSTS)
This research was in part supported by the Brussels Institute for
Research and Innovation (INNOVIRIS) under the framework of the project
Interoperable platform for Remote monitoring and Integrated e-Solutions
(IRIS). The authors also acknowledge the support of the European
Commission-FP7 Marie Curie Industry-Academia Partnerships and Pathways
Action ‘VALUE AGEING’ (GA 251686).
The growth in the mobile devices market (smartphones and tablets) has been accompanied by a rapid increase in the number of software applications for mobile devices ('apps'). One of the fields propelling this market growth is the healthcare and life sciences sector and industry (Greenspun and Coughlin 2012). Modern smartphones and tablets are embedded with a variety of sensors, such as multi-touch touchscreen, accelerometers or gyroscopes, ambient light sensors, GPS, cameras, fingerprint sensors, facial recognition etc. These sensors are able to collect and store large amounts of data. Through an interface called Application Programming Interface (API), collected data can be accessed and processed by software programs or accessories, or a combination of accessories and software, that run on smartphones: what we call ‘applications’ or ‘apps’.
Thanks to wireless communication networks – allowing continuous, real-time, exchange and ‘crossing’ of data, apps can be used for a wide variety of purposes, including the management of personal health, wellness, and wellbeing. For instance, many apps allow users to monitor their caloric intake for healthy weight maintenance: ‘MyFitnessPal’, ‘LoseIt!’, and ‘DailyBurn’ are just a few examples.
Apps can be used by healthcare professionals, nurses, physicians, and informal carers. For instance, the REACTION GlucoTab implements a mobile tablet- based workflow support system for nurses and physicians on the ward; its features include a validated basal/bolus insulin titration protocol. The Radiation Emergency Medical Management (REMM) app gives healthcare providers guidance on diagnosing and treating radiation injuries. Other apps allow for the monitoring of heart rhythm abnormalities, to carry out consultations on dermatology cases, etc.; and the list goes on.
As for most technological developments, e-health and mobile health technologies are laden with risks and uncertainties. Participants in studies highlight "clinical risks (misdiagnosis), social and interpersonal (interactional), personal and professional (overload of information, liability and role change), technical (failure) and organisational (poor integration)" (Finch et al, 2006). Two diffuse concerns relate specifically to the use of medical apps for medical purposes.
The first concern relates to the safety of the patient. Under EU law, safety requirements vary depending on whether apps are intended to be used for medical purposes or are instead intended to be used for ‘wellbeing’. The second concern relates to the protection of personal data. Given the choice of the EU regulators to give leeway to the market in medical and pseudo-medical apps, a massive number of them are available in the market. Data protection law is summoned as ‘second best’ to regulate not the presence and the use of medical apps, but the personal data processing performed by those apps. In order to mitigate safety and privacy risks, technologically mediated healthcare provision must be compliant with the relevant legislative frameworks and requirements1. The relevant legal frameworks are the EU medical device framework and the EU data protection framework2.
Medical Apps In The Medical Device Framework
The primary purpose of the EU Medical Device Framework (MDF) is to ensure the same level of safety to all EU citizens using medical devices (Directive 93/42/ EEC)3. Article 1 of the Medical Device Directive (MDD) defines medical device as “software[…] intended by the manufacturer to be used for human beings for the purpose of: diagnosis, prevention, monitoring, treatment or alleviation of disease; diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap; investigation, replacement or modification of the anatomy or of a physiological process; control of conception […]”. This means that software such as a medical app that works in combination with a device (a smartphone) is a medical device. Before being put into free circulation and used in medical practice, mobile technology and medical apps must satisfy the legal requirements detailed in Directive 93/42/EC. Once the requirements are fulfilled and validated by the competent national office (this can also occur by adherence to an internationall recognised software standard shown to be safe), the CE certification is granted. The CE certification guarantees that a medical device has been approved as meeting the requirements of the MDF and, being safe, must therefore be permitted circulation in all Member States.
Despite the obvious engagement of the MDF framework with medical apps, the EU regulator has been hesitant to take action in an area of obvious ongoing innovation and market growth (Mantovani et al. 2013). At present, there are apps being advertised or readily available which perform activities that fall within the aforementioned definition of a medical device, but which do not carry a CE stamp, and are not described by its manufacturer as intended for medical purposes. Arguably the main reason for this relaxed approach is economic. The costs involved with MDF compliance are estimated at up to €10m (EFPIA 2010; DiMasia 2007; European Commission 2012). Under a literal interpretation of the regulation, apps that have a clear medical purpose would have no choice but to comply with the demands of the MDF, regardless of the intention of the manufacturer. This means that under a literal interpretation of the MDF a large numbers of apps that have a quasi or pseudo-medical purpose, such as ECG for self-monitoring, would disappear (Mantovani et al 2013).
Do apps that have a clear medical purpose have the obligation to comply with the demands of the MDF? In 2012 this question came under the scrutiny of the highest Court of the European Union: the European Court of Justice (ECJ). The case Brain Products GmbH v. BioSemi VOF, which was referred by the Federal Court of Justice in Germany, concerned an application called ‘ActiveTwo’ which enabled human brain activity to be recorded. The plaintiff (a company competing with Active Two) argued that ‘ActiveTwo’ was not marketed as a medical device, though what it did (record brain activity) very clearly fit into the literal description of medical. The Court disagreed, espousing not a literal, but a teleological interpretation of the MDF. The teleological (from ancient Greek telos= purpose, aim) interpretation gives decisive weight to the purpose intended by the manufacturer of the device or app. On the one hand, a medical device or app intended to perform an activity that falls within the definition (literal interpretation), must obtain the CE certification or satisfy the legal essential requirements, if its manufacturer expressly marketed it as a medical device. On the other hand, a device that de facto performs an activity that squarely falls within the letter of the definition, but is not intended to be used for medical purposes by its manufacturer, is not a medical device. Accordingly, in situations in which a product is not conceived by its manufacturer to be used for medical purposes, its certification as a medical device cannot be required (§ 30), says the Court (European Court of Justice 2012).
This means that manufacturers of medical apps that may incidentally be medical devices do not have to create them to the same standards required for conventional medical devices. As a consequence, many medical apps that are appearing on the market have not been checked for compliance with the essential requirements of the MDF. They are not as safe.
Medical Apps In The EU Data Protection Framework
The vision of mhealth elicts concerns about the security and confidentiality of medical records. In the pre-digital era, the duty of medical confidentiality required doctors and nurses to keep drawers closed and avoid sensitive talk in hospital cafeterias and elevators. In the digital era, a growing problem is the increased number of personnel who have access to patient data, who may not always be, or feel, subject to the duty of confidentiality. Another drawback is that data can be easily lost: news reported the NHS North Central London Trust losing a laptop containing an estimated 8.3 million patient records. The same source reported that thousands of notes belonging to cancer patients have gone missing from the abandoned Belvoir Park hospital in Belfast, which closed in 2006 (The Independent 2011; The Daily Mail 2014). Many healthcare operators are careless in storing and exchanging medical information records, e.g. they carry diagnoses or x-rays in memory sticks without a password. With the advent of apps, the doctor’s obligation of confidentiality becomes more complex to navigate. A recent study indicated that privacy policies were only present in 74% of the free apps, and in 60% of the paid apps. Such privacy policies were either included in the app, or externally available on the developer’s website (Lie Nije 2013).
In addition, apps are generally not bound to a precise purpose. Data can be used for secondary goals, and there is little transparency about the duration of data storage, processing and the rights of app users. Apps often leave the user alone and even require him/her to open additional links to find information on external sites (Lie Nije 2013).
Apps that process sensitive data collected in any of the EU Member States must adhere to the EU data protection rules. The rules for processing and storing of medical data are found in Directive 95/46/EC, currently under revision (European Commission 2012) and in the so-called e-privacy directive (2002/58/EC). Because of their sensitivity, medical data can be processed only in a restricted series of circumstances. Aside from cases of emergency, or when the vital interests of the patient or others are at stake, two relevant conditions for the processing of medical data are: a) explicit informed – written – consent of the ‘data subject’; and, b) when data are processed by a health professional subject to the obligation of confidentiality (Article 8 Directive 95/46/EC)4.
However, it is crucial to point out that being the principal carer or having received consent does not legitimise any use of the data not originally foreseen. Under the circumstances in which the processing is lawful, the data protection principle of data minimisation applies. As enshrined in the fundamental right to data protection (Article 8 EU Charter of Fundamental Rights; Article 6, Directive 95/46/EC) “… data must be processed fairly for specified purposes”. Data minimisation mandates that all processing is both adequate for and limited to a specific purpose.
In addition, the EU data protection framework lists a series of rights of data subjects and obligations of data controllers and processors (the entities, like a hospital or a doctor or app developer controlling the purpose and the means through which personal data are processed). Data subjects have the right to receive information (Article 10, 95/46/EC). Pursuant to articles 12 and 13 of Directive 95/46/EC, app users must be put in a position to exercise their rights to access, rectification, erasure and object to their data being processed. Data controllers are under the obligation to keep the data secure, accurate, and to act promptly in case of data breach or leakages (adapted from Article 4 Directive 2002/58/ EC). In a string of cases – Z v. Finland (1997), I v. Finland (2008) and, more recently, L.H v. Latvia (2014)5 - the European Court of Human Rights (ECHR) penalised states that failed to take appropriate steps to secure medical data, so that it cannot be accessed improperly. According to the Court, “what is required […] is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place” (I v. Finland, § 46).
The implications of the data protection regime for medical apps are as manifold as the risks, which are created by processing medical data through mobile health technologies. Some basic recommendations based on the legal framework can, however, be put forth.
1. Incorporate the Principle of Data Minimisation in Apps. – Whoever controls or owns medical data should not process more personal data than necessary, and must not do so for purposes not defined and for indeterminate or excessive periods of time. As the case law of the European Court of Human Rights indicates, doctors and hospitals should not disclose patients’ data to third parties, including law enforcement agencies and health or social security departments.
2. Improve Security Measures. – The use of mobile health technologies means that more people have access to personal sensitive information. As the case law of the ECHR suggests, the conditions for the lawful processing should be incorporated in the design of the device and of the apps. The controller should implement appropriate technical and organisational measures and procedures in such a way that the processing will ensure the protection of the rights of the data subject.
3. Increase Transparency of Apps. – Users of medical apps have the right to receive information, exercise their rights to access, rectification, erasure and object to data processing. It is important to provide users with instructions that clearly state whether apps are certified (the CE stamp) for medical purposes, and ensuring awareness of the kind of data that are being accessed and processed. Ideally apps developers should ensure ‘by design’ the proportionality of the data collection; customise information about data subjects’ rights, including the provision of updates and adequate information; and notify any breach of personal data or security problems.
4. Make Room for ‘Granular’ Consent. – This recommendation is closely linked to transparency. Patients must understand what an app does before they can give valid consent in an informed, specific, truly free fashion. Consent must be obtained before information is gathered, but also before the information stored in the device – or accessible by the app, is processed. It should also be noted that patients withdraw de facto their consent when they ‘un-install’ apps. In this case, all personal data stored by the app developer and in the servers of the third party data controller(s) should be removed.
5. Include Different Capacities. – The ability of an individual to truly gauge the exact nature of his/her situation in an mhealth environment will vary enormously between a teenager and an elderly patient. It is questionable if apps processing data for medical purposes can be used without any supervision at all. In this regard, Portuguese data protection legislation allows users to have only indirect access to medical data through a physician. Similarly, the Belgian Commission for the Protection of Privacy advises patients to access their medical dossier under the supervision of a physician whenever possible.
Many apps performing medical activities are not considered medical devices in a strict legal sense. Developers can get their way out of the requirements mandated by the MDF simply by not stating that the app has a medical purpose. The difference between considering an app to be a medical device or not is relevant for the safety of the patient, for doctors’ liability, as well as for the relationship between patient and doctors. As a rule of thumb, it is advisable to read carefully the instructions that come with the app and verify the presence of the CE mark. Patients and doctors should avoid taking decisions relying on measurements provided by the hundreds of apps that are not certified medical devices. In any case, app developers and users are bound by data protection principles, rights and obligations. A safe medical app with a CE mark and software compliant with data protection rules will grant developers a solid competitive advantage.