Top Rated Bangalore Call Girls Richmond Circle ⟟ 8250192130 ⟟ Call Me For Gen...
Legally ehealth Report
1. Legally eHealth
Putting eHealth in its
European Legal Context
Legal and regulatory aspects of eHealth
Study report March 2008
I nfor mati on S oc i e t y a nd M ed i a
European Commission
3. Foreword
H
ealthcare systems, as we know them, currently are evolving. The technological
adjustment introduced by ICT systems dramatically has altered the way players,
citizens, patients, clinicians, care providers, policymakers, governments,
vendors, and suppliers interact. Privacy and confidentiality, personal data, and
data protection issues are becoming highly relevant when discussing eHealth in its
European legal and regulatory context.
Legal certainty is a prerequisite for businesses to invest in innovation, and for
providers and users to take up new products and services. As long as the eHealth
market is characterised by lack of regulation and legal certainty, barriers to the
progress of eHealth will persist.
The added value of eHealth is about developing a concerted and focused prospective
“
approach of regulatory and other policy instruments to allow a varied set of
technologies and innovative business models to rapidly meet demand and to benefit
from the mobilising effect generated.
Gérard Comyn,
Key to the success of the eHealth initiative is a debate at regional and national Acting Director, ICT
level concerning the conflicts about whether and to what extent the current Addressing Societal
legislation regarding eHealth interferes with public health policy. Legal liability and Challenges,
jurisdictional certainty are at the heart of this discussion, as well as cross-border DG Information
provision on healthcare. The aim of this booklet is to present an overview of how the Society and
current EU-level registration can meet demands of regulating the emerging eHealth Media, European
markets of Europe. Commission
I hope that this booklet ‘Legally eHealth; Putting eHealth in its European Legal
Context,’ can act as guidance for all players in the European health sector.
”
Acknowledgements
We thank the colleagues from the Unit ICT for Health for their kind support. In particular,
we are grateful to Gérard Comyn, Head of Unit, Ilias Iakovidis, Deputy Head of
Unit, for the guidance and promotion of this activity, and our Project Officer,
Diane Whitehouse, for her enthusiastic commitment to our work, as well as her valuable contributions. We also
thank the Unit members who helped in the preparation of this report, notably Corinne Wenner (Information &
Communication Officer), Mike Palmer (Project Officer), Luba Hromkova (Project Officer and Legal Expert) and
Mia Sichelkow (Proofreader).
The Legally eHealth team also owes a debt of gratitude to the attendees of the various conferences at which
this work was presented for their insightful questions, which contributed significantly to the development of
this work.
However, this report reflects solely the views of its authors, and is not the officially endorsed opinion of any of
the companies or institutions for which they work.
••• 4 5 •••
4. Executive Summary
“
What is e-health?
eHealth characterizes
a technical
The term eHealth, although now quite current in Europe
and, indeed, throughout the world, still is rather new,
making its first appearances in the scientific and policy
literature around 1999. Its predecessors, however, date
back to the 1960s when the concepts of health informatics
The report also addresses the vexed issue if liability
eHealth goods and services, covering both simple
eCommerce-like health services transacted over
Websites, as well as much more complex issues such as
multiple and split liability for services provided through a
development, but and bio-medical computing began to occupy the minds of series of co-operating providers is also explored. Finally,
also a state-of-mind, academic physicists, mathematicians, and medics. noting that eHealth is a significant, emerging European
a way of thinking, industry, the Legally eHealth report questions the extent
an attitude, and The 960s and 970s saw the development of computing to which European trade and competition law might
a commitment for technology for mathematical modeling applied to the apply to eHealth.
networked, global healthcare setting, along with highly specialized, tailor-
thinking, to improve made programmes for complex medical models. The The overall objective of the report is to widen the audience
health care locally, early 990s saw the beginnings of the IT revolution, which of legal questions in eHealth since, until these issues are
regionally, and took us from the back roads to the super highway. With tackled head-on in real cases, we will not begin to change
worldwide by using the development of Internet technology, eHealth became the legal landscape in order to provide fertile ground for
information and a potential reality not only for healthcare practitioners new developments. eHealth is not just about technology,
communication but for every citizen. but about changing the everyday practice of healthcare
technology. for every healthcare professional and every patient.
It was, however, not until the late 990s that layers and
G. Eysenbach administrators began to question the extent to which
(Journal of Medical existing legislation was sufficient to cover the use of
Internet Research eHealth tools in the provision of healthcare to citizens.
200;3(2):e20). Over the past decade, a number of articles, reports,
”
and studies have established that the use of ICTs in
healthcare does raise a number of legal questions, but few
have looked, in detail, at the extent to which European
legislation could provide good answers.
The Legally eHealth Report, therefore, seeks to examine
some keys of the legal questions raised by the adoption of
eHealth tools in healthcare. It looks at how EU legislation
on data protection, product and services liability, and
trade and competition law applies.
In considering the law of privacy, the report examines
the European Directives on Data Protection Directive,
Privacy in Electronic Communications, as well as the
European Convention of Human Rights against the
backdrop of a number of scenarios exploring data
transfer for the purposes of better care provision both
across European and international borders, as well as for
commercial purposes.
••• 6
6. Introduction
3
The concept of eHealth and its reality in daily medical detail. It would seem, however, that little work has been
practice fundamentally challenges our understanding of undertaken to date to look across the range of legal issues
the practice and regulation of healthcare in terms of the relevant to the use of IST tools and services in healthcare
relationship between practitioner and patient, between and to draw conclusions about the regulatory needs that
practitioner and institution, as well as between institutions, may exist.
between practitioners and institutions on one hand
4
and, on the other hand, bodies involved in the funding In order to fill this gap, a study was conducted between
(social security) and monitoring (public health control) of January 2006 and May 2007 to investigate the extent to
healthcare. which European Community legislation, contained in
various Directives, provided sufficient legal certainty
In the traditional model, patient access to the healthcare to allow eHealth to prosper in Europe. This current
delivery system has been limited to predetermined report draws together the results of that study, focusing
points of entry, such as through a primary care physician. particularly on the challenges of compliance with rules
From the entry point, the patient’s progress through the on data protection and privacy, questions of product and
system has been relatively linear and often dictated by services liability, and on the role of EU competition law
the health system’s reimbursement processes. Similarly, on the development of the eHealth industry within the
processes, such as diagnosis, treatment, and care, have European internal market.
involved physical presence and personal interaction
between providers and patients. Of course, such physical The objective of this report is to provide the reader
presence requires some sort of identification (i.e., lack of with an overview of the extent to which current EU-
anonymity). level legislation can meet the demands of regulating the
nascent eHealth markets of Europe. It does not purport
eHealth, however, is premised on a fundamentally new to give legal answers, but rather to give the reader a basis
patient experience that is unconstrained by familiar from which to examine your own eHealth situations and
points of entry and structures or traditional channels for to arm you with appropriate questions to ask within the
delivering information or care. For one thing, anonymity relevant national or regional legislations.
or pseudonymity can be preserved much more easily.
Not surprisingly, therefore, the eHealth revolution has
brought about as many serious implications for healthcare
regulators and lawyers as for medical professionals.
Although policy makers have noted at both the European
and national level that a lack of legal certainty about the
use of eHealth tools and services exists, little has been
done to study the issue in detail. Certain projects,
funded under the Framework Programmes, have
looked at the general legal issues concerning the use of
1. see for example: Legal IST- FP6-IST
information society technologies (IST), while others have 2. see for examples: NEXTGRID – FP6-IST or EUROGENTEST – FP6-
included work packages looking at the legal aspects of a LIFESCIHEALTH and FP5- GEMSS
2
particular technology or application. Others have looked 3. see for example: EUROSOCAP – Quality of Life Programme (FP5)
••• 10 at one particular issue, such as confidentiality, in greater 4. Legally eHealth: A Study on the Legal and Regulatory Aspects of
eHealth Contract 30-CE- 0041734/00-55 11 •••
7. 1 the scene:
Setting
eHEALTH in its European
Government, policymakers, payers
Clinical and social care
Citizens and Patients
Legal Context
OR
HIS eRX
Monitoring
Summary
Labs records
Health information
DSS
EHR
GPs
CPOE
eHealth is a very broad term and encompasses many PACS
Home
care
concepts. For this study, we have taken the term to
include the wide range of information technology-based Vendors, suppliers, commercial partners
applications found in hospitals and primary care settings.
These include administrative tools, such as hospital While a wide range of legal issues are relevant to eHealth,
information systems (HIS), summary records, and ranging across contract law, employment law, and even
discharge letters; clinical technical applications, such as criminal law, it was felt that three areas of law are particularly
picture archiving and communications systems (PACS); difficult to interpret in the context of eHealth. Given that
as well as clinical support systems, such as operating eHealth intrinsically is dependent upon the collection and
theatre systems, decision support systems (DSS), and sharing of patient data, it is important to examine the extent
systems linking institutions such as General Practitioners to which data protection and privacy laws impact upon
Systems; and electronic prescribing systems linking its practice (see for example the discussion on Directive
general practitioners with pharmacies (eRx). At the heart 95/46/EC on Data Protection). Similarly, since eHealth
of our eHealth world is the elusive holy grail of eHealth – frequently will be used in order to facilitate collaboration
the fully interoperable cradle-to-grave Electronic Health between different care providers funded from different
Record. budgets and with varying levels of responsibility to the
patient, it is important to examine to what extent current
OR rules on liability for goods and services cover the provision
HIS eRX
of healthcare using eHealth tools (see for example the
Monitoring
discussion on Directive 97/7/EC on Distance Contracting).
Summary
records
Labs
Health information Finally, in order to allow eHealth to prosper, it is important to
DSS
ensure that trade and competition law, as it currently stands in
GPs
EHR Europe, does not pose any problems for this nascent industry.
CPOE Accordingly, we also look at the implications of EU-level
PACS
Home care competition law (see for example the discussion on Articles 8
and 82 of the Treaty on the European Communities).
The stakeholders in the world of eHealth may be Government, policymakers, payers
classified into four groups of actors: Citizens and patients;
Dir 95/46/EC,2002/58/EC,2006/24/EC,
clinicians and care providers; payers, policy makers and
Clinical and social care
PRODUCTS & SERVICES LIABILITY
OR
Dir 97/7/EC, 99/93/EC, 2000/31/
Citizens and Patients
HIS eRX
governments; and vendors, suppliers, and commercial Monito-
EC,2005/29/EC
Summary
partners. All four groups have highly significant but
DATA PROTECTION
Labs records
Health information
not always equal roles to play in healthcare. We look, in DSS
EHR
particular, at the tensions that can arise between clinician GPs
CPOE
and patient with respect to privacy and confidentiality PACS
Home
or between government and vendor with respect to
competition in the healthcare market. TRADE & COMPETITION
••• 12 13 •••
Vendors, suppliers, commercial partners
8. 2 Data
Processing
Medical in eHealth
words, the person to whom the personal data relate. The provide the relevant national data supervisory authority
Data Protection, Directive, however, has a further purpose: To allow the Who has data protection and the data subject with certain information regarding
free movement of personal data within the European the processing, and may only process the data for the
Confidentiality and Union in the context of the internal market. On the one duties? purposes for which it was collected.
hand, its object is to protect the privacy of individuals
Security while, on the other hand, it is to allow freedom of The data protection rules are addressed primarily to the Thus, a doctor who may share patient identifiable data
movement of data across the European Union in order data controller – the person who decides the purpose and with another doctor for the purposes of treating the
that the internal market might prosper. the means of the processing and who has the legal duty patient may share that same information with another
Introduction to ensure that data are handled appropriately. In most healthcare professional for the purpose of conducting
professional cases, this will be a senior staff member who medical research if that purpose originally was given as
eHealth applications, whatever their nature, frequently To what types of data does is named as the person responsible for data collection one of the final uses of the data. It also would apply if this
will involve the processing of information relating to and storage by an organisation. is compatible with the latter (especially if the data subject
an identified or identifiable patient. Such information the Directive apply? In the case of small companies or self-employed has given his or her consent to the communication) or if
legally is known as personal data and is subject to data individuals (such as many General Practitioners), the appropriate safeguards are met for processing personal
protection legislation in the European Union. In Europe, In order to establish if data are covered by the Directive, data controller generally will be the person who has data for medical research viewed as a scientific purpose
such data are protected by legal rules found in a number one first must ask if the data are such that they allow the legal and tax liability for the organisation. It should be (i.e., reasonable steps are taken to hide the true identity
of legal sources, the most important of which is the identification of a particular natural person. Second, noted that organisations need not be businesses or legally of a data subject). If the personal data are anonymised
Directive on Data Protection (Dir. 95/46/EC), which is the data going to be processed by someone (a legal constituted to be covered by the legislation; a disease by the doctor, there is no problem to communicate the
now has been transposed into national data protection or natural person). Thus, the laboratory result of a self-help group will fall within the legislation and its data anonymous data to a third party for scientific purposes,
legislation across the EU. blood sample test, giving the count of various markers controller will be its president or other lead person. including medical research safe for other special rules in
in the blood, will be covered by this legislation if the National Law (i.e., medical secrecy). Also, they must be
The following pages provide a very quick overview of identification of the originator of the blood is possible processed fairly and lawfully so that if a researcher collects
key aspects of the European Data Protection Directive. using reasonable means. The Directive applies also if the What are the main duties data in order to carry out a specified research project, he
The full Directive can be downloaded at http://ec.europa. laboratory results are stored with coded identifiers, such or she may not collect and process other data that are not
eu/justice_home/fsj/privacy/ where each Member State’s as a patient number. The basic principle here is that if a of a person who controls necessary for that particular study but might be useful at
national legislation transposing the Directive also is piece of information can be linked to a person either by some later date. The controller also must ensure the data
available. reasonably simple means, by or with the help of a third personal data? are kept up-to-date while they are needed, and not kept
person, then the data is considered as identifiable and, longer than necessary.
therefore, in the scope of the Directive. If the information Any personal data that the controller needs to process for
What is the purpose of the refers to a group, or if it is so complete or so unique as to the purposes of his or her professional activity must meet
make it applicable to only a very small number of people certain levels of quality, and must comply with different What rights do data
Data Protection Directive? (e.g., disease profile, age, gender, postcode, profession principles concerning data collection and processing.
all held together), then the data could be classified as subjects have?
The primary purpose of the EU Directive on Data identifiable even if no actual identifier were used. The data must be collected for specified, explicit, and
Protection (95/46/EC) is to protect the fundamental legitimate purposes. This principle requires that, prior Data protection law not only gives duties to data
rights and freedoms of natural persons, which are real to processing personal data, the controller has to define controllers, but also rights to data subjects, such as
people, as opposed to legal persons or entities such as clearly and precisely the purpose(s) for which the data patients. Laws in EU countries grant access rights to all
companies or societies. Within the legislation, such a are to be processed. Moreover, the processing should be data subjects to data held about them, which allows them
••• 14 natural person is referred to as a data subject – in other transparent. The data controller will, therefore, have to to request specific information about their own personal 15 •••
9. data; the right to ask for data to be rectified when they are
3
Data processing Case Vignettes
incomplete or inaccurate; and, under some conditions, Introduction to case vignettes The legal analysis
the right to object to the processing. On the basis of these In order to place the general overview of the principles In this case, we see a typical doctor-patient relationship.
duties, most EU countries have introduced legislation of EU data protection in its eHealth context, a series of However, since the story includes the transfer of medical
that allows patients to access their medical records and fictional case vignettes have been constructed on the data, we can use it to look carefully at the legal duties
to demand a rectification of those records. basis of reported case histories. These outline the way in of doctors wishing to collaborate, over a distance, using
which data protection rules might be applied in practice. standard tools for sharing electronic medical reports and
The case vignettes are not real cases as such, but are records.
Are medical data treated informed by reports of real cases and are grounded in
medical practice reality. In order to establish which rules apply to the proposed
differently from other data? transfer of data from Germany to Greece, a number of
questions must be asked:
All the principles described above are general principles CASE VIGNETTE 1: SECOND MEDICAL OPINION FROM
that may alter very slightly when the data are regarded A COLLEAGUE IN ANOTHER EU COUNTRY HAVE THE DATA BEEN LAWFULLY COLLECTED?
as especially sensitive. Data concerning a person’s health, The answer would seem to be positive since Wolfgang
religion, trade union activity, as well as data revealing Wilhelm Wolfgang, 50, a building construction has agreed to the X-ray and to its possible transmission
racial or ethnic origin and judicial information, are manager from Stuttgart, has suffered from multiple to Prof. Artemis. Given that the data are medical data, Dr
amongst the data regarded by the Directive as especially allergies both respiratory and dermatological, since Weiss will be subject to the special rules concerning the
sensitive and, therefore, subject to special rules. For he began working on construction projects at age 8. processing of sensitive data.
this reason, data that are capable, by their nature, of Other than the recurrent allergies, Wilhelm, a non-
infringing fundamental freedoms or privacy of the data smoker, generally has been in good health. IS IT LEGITMATE TO PROCESS THE MEDICAL DATA?
subject normally should not be processed. Again, the answer would seem to be yes since Dr. Weiss
Unfortunately, his most recent routine X-ray revealed processes Wilhelm’s medical data as a registered medical
The ban on processing sensitive or medical data aims some suspicious areas on the upper right lung. practitioner and, as such, is entitled to collect and
to ensure the fundamental rights and freedoms of Wilhelm’s specialist, Dr. Willy Weiss, would like to ask process such data as it is needed for medical diagnosis
the data subject regarding the processing of his or her a second opinion regarding the images and the case. and the provision of care or treatment to Wilhelm.
medical data. The ban is, of course, not absolute, so all He identified Prof. Alexander Artemis, a world expert In this case, the medical data have to be processed by
EU countries hold, by principle, that medical data may of pulmonary imaging in the detection of rare lung a health professional subject under national law or
be collected or processed only for certain purposes and diseases, located in Greece. rules established by national competent bodies to the
following certain guidelines, including notably: obligation of secrecy or by another person also subject to
• That the explicit informed consent of the data Dr. Weiss wonders whether the digital X-ray images an equivalent obligation of secrecy.
subject is obtained can be transferred safely and securely to Prof. Artemis.
• To protect the vital interest of the data subject A conversation with Prof. Artemis reassures him on CAN THE MEDICAL DATA BE SENT TO ANOTHER
or of another person when the data subject is that score. In addition, Prof. Artemis is quite happy to COUNTRY?
physically or legally incapable of giving consent provide his analysis free of charge. Yes. Prof. Artemis is a medical doctor, in a European
• For the purposes of preventive medicine, medical Union country, and the data is communicated for the
diagnosis, the provision of care or treatment, Wilhelm is hoping that Prof. Artemis can provide purposes of providing medical diagnosis. Note, however,
or the management of healthcare services, if his opinion from a distance, although he is willing that Dr Weiss has a legal duty to ensure that Prof.
the data are processed by a health professional to fly over, if expenses can be reimbursed. Wilhelm Artemis and his hospital provide sufficient guarantees on
subject to the obligation of professional secrecy thinks that two opinions give more credibility to the technical and organisational security measures.
or by another person also subject to an equivalent decisions that will follow.
••• 16 obligation of secrecy. 17 •••
10. WHAT LEGAL DUTY DOES THE THIRD-PARTY DATA
RECIPIENT HAVE?
The legal analysis
4
Buying, selling, and
using eH Tools and Services EALTH
Prof. Artemis will be processing the personal data on IS IT LEGALLY ACCEPTABLE TO DIGITIZE PAPER practitioner or directly to a consumer that uses an
behalf of Dr. Weiss and will be therefore, considered as RECORDS? PRODUCT AND Internet-enabled component to deliver benefit. As such, it
a data processor who must act only on instructions of The legal question here is whether such processing of the might be an electronic record to be used by the doctor, or
Dr. Weiss. He must take the appropriate technical and patients’ medical data is compatible and necessary with SERVICES LIABILITY a monitoring device that includes a Web-based interface.
organisational measures of protection. the initial purpose for which the data were collected, It might even be just a simple health information portal.
i.e., treating patients. It would seem to be the case since Pure medical devices, such as blood pressure monitors,
digital records will allow Dr. Carrington to treat her Introduction are excluded from our definition unless an ‘e’ interface
CASE VIGNETTE 2: PROCESSING OF MEDICAL patients more efficiently. is used.
RECORDS OUTSIDE THE EU As consumers of goods and services, we expect the law
CAN DIGITIZATION OF PAPER RECORDS BE to protect us from potential harm from poor goods or It is important to note that at present, no specific
Dr. Caroline Carrington is a general practitioner who OUTSOURCED DOMESTICALLY? services by having strong requirements of high quality legislation exists at an EU level that specifically targets
recently arrived in a busy group practice, in Loch The legal duty of care to the patient, respect to privacy, and to provide us with adequate means for redress if we such eHealth services and products. Legally, these
Harlow, Lannockshire, Scotland. Dr. Carrington and confidentially remains with Dr. Carrington, or with are harmed in some way. The object of this section is products will be covered by a range of legislation.
replaced Dr. Charles Cramer, who retired in May the practice, which legally are designated as the data to investigate how far, at a European level, the existing
2006, inheriting his carefully handwritten records. controllers. IMRC would be acting as a data processor legislation on consumer protection is adequate to protect It is important to note that at present, no specific
for Dr. Carrington, who will have to ensure that IMRC users of eHealth systems, tools, and services. legislation exists at an EU level that specifically targets
Dr. Carrington wanted to switch to digital records can provide sufficient guarantees on technical and such eHealth services and products. Legally, these
as quickly as possible, before multiplying her own organisational security measures and to sign a contract It is clear that the provision of eHealth products, systems, products will be covered by a range of legislation.
additions to the files. to that effect. and services must comply with certain levels of quality.
Different legal texts have been agreed upon to provide
Dr. Carrington’s problem on how to digitalise Dr. CAN FURTHER PROCESSING BE OUTSOURCED consumers with legal guarantees for any damages Does the sale of consumer
Cramer’s files seemed to find a providential answer OUTSIDE THE EU? resulting from sub-standard products or services. The
when she opened an envelope from SoftSupport Ltd, IMRC intends to do more than simply digitise records. legal texts do not apply exclusively to eHealth, but goods legislation apply to
multinational software specialists. Inside there was Once scanned, the digitised medical files will be sent instead are applied with a general context of service
a prospectus indicating that International Medical to India (thus outside the European Union) in order provision and product delivery, whether by traditional or eHealth goods and services?
Records Coordinators (IMRC) Ltd., a division of to populate a searchable database of medical records via electronic means. We will explore the range of EU-
SoftSupport, would be stopping in Loch Harlow over located in the UK. The transfer of data to India could level consumer protection legislation that could apply At a most simple level, the sale of any product – be it
the summer to provide record scanning services. only be permitted if India ensures an adequate level of to eHealth systems and services, exploring issues such eHealth or any other – will be covered by standard
protection. Today, India does not seem to ensure such as dissemination of information via Websites, electronic contracts for sale of goods. Thus, if the eHealth product
Founded by Dr. Gautam Gandhi, a practicing level of protection. Such transfer of data to India would advertising, contracting online, and delivery of products fails to arrive or arrives late, the standard clauses in the
physician in the UK, IMRC had been sold to be permitted either on the basis of the unambiguous or services. contract will apply. These allow the purchaser to pay less
SoftSupport in 2005. IMRC’s business was based on consent from the patient or on the basis of a contract or to return the goods. Similarly, national legislation
Dr Gandhi’s connections between the UK and India. signed between Dr. Carrington and the recipient of the The concept of the eHealth product is sometimes based on the EC general product liability directives
IMRC scans patient records in a mobile unit stationed personal data, imposing on the latter the conditions difficult to understand because, in practice, most eHealth (Directive 200/95/EC and Directive 999/34/EC),
outside British practices, then sends them to IMRC of the data processing based on the standard contract products either will be software packages and interfaces ensures that the purchaser has redress if consumer goods
offices in India for data entry to populate a database terms available from the European Commission The (electronic health record, decision support tool) or they are not fit for the purpose sold, as well as the relevant
held in the practice. recipients of the communication have to be subject to might be hardware devices with embedded software national legislation based on Directive 999/44/EC on
confidentiality rules equivalent to those incumbent to (radio frequency identification location trackers for the Sale of Consumer Goods.
Dr. Carrington wonders if she can make use of the health care professionals. Again, to ensure a fair data locating people and objects; remotely controlled medical
offer of IMRC Ltd. processing, Dr. Carrington or the practice should inform devices). We take a broad definition of an eHealth According to these EU directives, when eHealth tools are
••• 18 the patients that the digitalized medical records have product or service to include anything sold to a medical sold as consumer goods, the seller must deliver goods 19 •••
been sent to India to be encoded for a database located
in the UK.
11. as described in the contract of sale. Moreover, when a The General Directive (Dir. 93/42/EC) concerning How will consumers and bad advice and fall ill, or even die; a clinician might
commercial guarantee exists, the seller or producer who medical devices aims to safeguard the health and safety follow the recommended procedure after using a decision
has offered the goods for sale legally will be bound to of patients and users by harmonising the conditions professional users be support tool and might harm a patient; or a remote
that guarantee, as well as to the associated advertising. for placing medical devices on the market and putting monitoring service might fail to transmit relevant data,
Any such commercial guarantee will have to be made them into service. The medical devices must be designed protected if an eHealth thereby putting a patient’s life at risk.
available in writing (or another durable medium, such as and manufactured in such a way that their use does not
an e-mail) and will have to contain certain information. compromise the safety and health of patients, users, and product or services causes In many such cases, a causal link will exist between the
Anyone selling an eHealth product as a consumer good other persons when properly installed, maintained, and harm suffered and a defective product. Thus, if an error
would, therefore, have to comply with these rules and, used in accordance with their intended purpose. If a damage? exists in decision-support software, the doctor who relied
conversely, a purchaser of an eHealth product would Member State notes that a medical device conforming on the software would have a claim based in Council
have redress under them. to the Directive compromises the health and/or safety Directive 85/374/EC on Defective Products will apply Directive 85/374/EEC, as described above.
of patients, users, or, where applicable, other persons, it to eHealth products in the same way as it applies to
shall take all appropriate interim measures to withdraw any other product sold on the European market. This There currently is no general European harmonisation
Is there general product such devices from the market or prohibit or restrict their Directive aims to ensure a high level of consumer of liability rules for services in which no defect can
being placed on the market or put into service. protection against damage caused to health or property be found in a device. Therefore, liability for services
safety legislation that by a defective product. It also aims to reduce the is governed by ordinary rules of law applicable in the
The Directive on In Vitro Diagnostic Medical Devices disparities between national liability laws, which distort Member States. An exception to this may exist if a service
applies to eHealth goods provides that such devices may be placed on the market competition and restrict the free movement of goods. The is supplied wholly by electronic means, in which case the
and put into service only if they comply with some Directive establishes the principle of no-fault liability for eCommerce Directive (Directive 2000/3/EC) might
and services? requirements. This obliges Member States to monitor damage caused by a defective product and, as a result, the apply. These issues are further considered below, looking
the security and the quality of these devices and to take producer, importer, or supplier will be liable and must pay at questions on health-related Websites and health-
The General Product Safety Directive (200/95/EC) appropriate measures to withdraw dangerous devices compensation for damage caused to persons or property related eCommerce.
imposes a general safety requirement for any product from the market. Where a medical device is used to resulting from a defect. The injured person does not have
put on the market for consumers. In addition, they dispense a medicinal product, Directive 200/83/EC on to prove that the producer was at fault or negligent, but
must provide consumers with relevant information Medicinal Products for Human will require that any simply needs to prove that damage arose, that a defect in What about eHealth
enabling them to assess the risks inherent to the product, such compound dispensed by the device is covered by the product exists, and that there is a causal relationship
particularly when it is not obvious, and take appropriate a marketing authorisation issued by a national oversight between defect and damage (this is known as the concept services provided to
actions to avoid these risks (withdrawal from the market, authority. of ‘strict liability’).
warning to the market consumers, recall products already patients via the Internet?
supplied, etc.). To assist consumers, national authorities Although early eHealth devices frequently were not For example, if defective software used to drive an infusion
have established systems to monitor product safety and designated as medical devices, the growing market in pump causes an incorrect dosage to be administered, and Any eHealth services provide via the Internet will be
to take appropriate measures to protect consumers. personal health monitors or any medical support tools, the patient is caused harm, then the patient will not need subject to the national legislation derived from the
Such a system also exists at the EU level in RAPEX, such as wearable and implantable monitors, will ensure to prove the fault of the manufacturer of the software. eCommerce Directive if they meet the qualities of an
a European rapid alert system for dangerous non- that more and more such eHealth tools are designated He would just have to prove that he was injured, not the information society service. That is any service normally
food products, which ensures that information about as Medical Devices so that this legislation will grow in fact that the software does not provide the safety that a provided for remuneration, at a distance, by electronic
dangerous products identified within the Member States importance. patient is entitled to expect. Nor does the patient have to means, and at the individual request of a recipient
is quickly circulated between the Member States and the show a link between the dosage error and the injury. of services (such as through the Internet). It covers
Commission. To date, no eHealth products have been Finally, it should be noted that national, international, services between enterprises or between enterprises and
listed in RAPEX, but as consumer products in eHealth and European standards bodies are developing standards However, in order to strike a reasonable balance between consumers, which are paid directly from the recipient
become more common, this will serve a useful purpose that apply to eHealth products. Examples include the the interest of the consumer and the need to encourage (online transactions) or those financed by indirect
in the eHealth sector. European Standards Agency (CEN) standard for EHRs innovation and technological development, there are means, such as advertising income or sponsoring.
(CEN ENV 3606), the American HL7 standard for EHR, some rules protecting the producer. Therefore, the
or, indeed, the industry standard for the communication of period of liability has been limited to three years from the Activities, which by their very nature, cannot be carried
Could eHealth applications 5
medical digital images (DICOM). While these standards moment the consumer becomes aware of the damage, the out at a distance and by electronic means, such as
are not legally binding, they do provide a baseline against defect, and the identity of the producer. And the liability medical advice requiring the physical examination of a
and tools be considered which disputes about the quality of an eHealth product, is limited to ten years after the producer has placed the patient, are not information society services. When the
covered by a standard, might be assessed. product on the market. physical examination of the patient is not necessary, then
medical devices? the service may be considered as information society
service, such as:
Any eHealth device placed on the market, which is What about liability for an • Websites of doctors promoting their activities
designated by its manufacturer as a medical device, • Online selling of medicines (ePharmacy)
will be subject to the specific additional rules regarding eHealth service? • Online advice that does not require the physical
medical devices. The medical devices sector is covered by examination of the patient if a fee is paid or if it is
three directives, covering a wide scope of products. The An eHealth service might be passive, such as delivering financed by advertising or sponsorship
first Directive, (90/385/EC), deals with active implantable general medical information through a Website, or might • Online databases of information accessible for
medical devices, the second Directive, (93/42/EC), be active in giving medical advice or specific decision medical professionals or consumers if a fee is paid
deals with medical devices in general, while the third support to clinicians, or might involve the collection of or if it is financed by advertising or sponsorship
Directive, (98/79/EC), deals with in vitro diagnostic biomedical data for remote monitoring by a clinician. (even indirectly).
medical devices. Such a service might conceivably cause damage to
••• 20 someone relying on the service. A citizen might follow 21 •••
12. What duties and rights service or product as 00% effective, and without any side information is not stored for any period longer than is Generally, such a contract will be governed by normal
effects, when the trader must reasonably know that the reasonably necessary for the transmission. national contract law, being simply a contract for service.
arise from an eHealth tests made cannot completely exclude the possibility of Where such a contract is made between parties in different
all potential side effects. Caching is an information society service consisting European countries, the usual rules about cross-border
services provided via the of the transmission in a communication network of contracting will apply. This means that the contracts will
information provided by a recipient of the service. When be drawn up under the law of the state in which either
internet? Which countries rules providing such caching services, the service provider is the purchaser or provider resides. A number of legislative
not liable for the automatic, intermediate, and temporary instruments at the EU level already have been adopted
A doctor or other party running a health-related Website, apply to services offered storage of that information, performed for the sole to ensure that parties to such contracts can know, in
whether it is a passive information site or one supplying purpose of making more efficient the information’s advance, under which jurisdiction any eventual dispute
services, will have to inform the users of his identity, via the Internet? onward transmission to other recipients of the service will be resolved. The Brussels Regulation (Regulation
address, and VAT number, if applicable. If the service is upon their request. 44/200/EC) concerning jurisdiction and the recognition
provided by a doctor, or other profession subject to rules In general, the rules of the country in which the service and enforcement of judgments in civil and commercial
of professional registration, the full registration details provider is registered will apply. That is why information When providing these three information services (Mere matters, and the 980 Rome Convention on the law
applicable in the country of registration also must be on the service provider must be given on the Website. Conduit, Caching, or Hosting), providers can not be applicable to contractual obligations, are the reference
provided. These information duties aim to enable the This is known as the country of origin principle, which obliged to monitor the information that they transmit points for EU-level contracts.
user of the Website (passive or active) to identify the provides that the law applicable to an eCommerce or store, nor to actively seek facts or circumstances
service provider and to ensure transparency of activities. activity will be the law of the country in which the service indicating illegal activity. A further area of legislation could apply to a contract
In essence, the purpose of these information duties is to provider is established. For example, if an electronic concluded by electronic means. Directive 997/7/EC
allow users to know against whom they can seek redress healthcare service provider, established in Italy, provides on Distance Contract imposes on the supplier a duty
if they should need to do so. online information to doctors in different places in Are there any special rules to provide the recipient with written information (or
Europe, it will fall under Italian law. another durable medium such as an e-mail or online
This principle of transparency of provider of site is for contracts for eHealth information) prior to the conclusion of the contract
included within the Commission’s Communication However, there are exceptions to the country of origin concerning the supplier’s identity, the product or service,
on Quality Criteria for Health-related Websites (COM principle. Most notably, Member States have the right to goods or services? and the price. In such contracts, the rules on electronic
2002/667), which seeks to increase the reliability of health- derogate from this principle if, for example, it is necessary signatures also will apply (Directive 999/93/EC). This
related Websites and also include other quality criteria for the protection of public health. Much eHealth business necessarily will involve the provides that national-level legislation must ensure a
that health-related Websites should comply with, such drawing up of contracts. On the whole, normal national legal equivalence between the handwritten signature
as transparency of the purpose of the Website, respect contract law will apply, transposing where applicable and advanced electronic signatures based on a qualified
of privacy, accessibility adapted to the target audience, Does the Internet Services EU-level directives. The agreement of eHealth contracts certificate. A simple form of eSignature, such as a scanned
etc. Those quality criteria may serve as reference in the could occur for the delivery of eHealth products or for handwritten signature, may be used, but if a dispute
development of quality initiatives for health-related Provider (ISP) have any the provisioning of eHealth services. The latter includes arises, experts would need to advise on the evidence
Websites. the online provision of medical care, such as tele- value of this signature. The advantage of the advanced
special duties? monitoring. electronic signature is that, in the context of a trial, this
If a health-related Website includes any type of type of signature is directly considered as having the
communication promoting goods, services, or the The eCommerce Directive establishes a special same evidence value as the handwritten signature.
image of a company, the eCommerce Directive imposes exoneration system of liability for some categories of
further duties that require that any such commercial Internet intermediaries (mere conduit, caching, and
communication should be clearly identifiable as such hosting) in detailed circumstances. The “Mere Conduit”
and the person on whose behalf the commercial is an information society service consisting of:
communication is made must be clearly identifiable as • The transmission in a communication network of
well. The purpose is to avoid any confusion between information provided by a recipient of the service or
advertising and any other type of information. The • The provision of access to a communication
eCommerce Directive does not replace other legal texts network
that impose particular rules or restrictions relative
to advertisement concerning regulated professions, When providing such “Mere Conduit” service, the service
such as doctors or dentists. Therefore, the advertising provider is not liable for the information transmitted. To
of prescription-only medication still is prohibited on benefit from this exemption, the provider has to comply
European-registered Websites (Directive 200/83/EC). with several cumulative conditions:
However, given that direct-to-consumer advertising of • The provider does not initiate the transmission
prescription medication is permitted in the United States, • The provider does not select the receiver of the
many European citizens find American advertising on the transmission
Internet and buy directly from these American sellers. • The provider does not select or modify the
information contained in the transmission
If a health-related Website is offering services or products
not covered by the ban on advertising of prescription- The acts of transmission and of provision of access
only pharmaceuticals, further consumer protection laws include the automatic, intermediate, and transient storage
will apply, notably those derived from Directive 2005/29/ of the information transmitted insofar as this takes place
EC on Unfair Business to Consumer Practices. This for the sole purpose of carrying out the transmission
••• 22 includes, for example, a ban on promoting a medicinal in the communication network, and provided that the 23 •••
5. see http://www.openehr.org/standards/t_cen.htm