On Wednesday 17th September, Health Technology Forum members gathered at Baker Botts’ office in London for a couple of key presentations on legal aspects of medical software.
The first, by Joe Hagan-Brown, Regulatory Affairs Specialist at the MHRA, covered the EU’s medical device-specific regulation. The second, by Alex Denoon of Lawford Davies Denoon, was a presentation on the EU’s data protection regulation.
Readers with long memories will recall that I summarised medical device-specific regulation a while back; much of what Joe said added colour to that summary. A few comments he made are perhaps worthy of repetition :
- the key to whether software is a medical device is the intent of the manufacturer. So, for example, because a Jawbone App which is not intended as a medical device can be used to monitor a critical aspect of a person’s care does not make it a medical device; however disclaimers that are clearly seeking to avoid medical device regulation do not work where it is evident that the original intent of the manufacturer was otherwise;
- MEDDEV 2.1/6 is the key document to read when seeking to decide whether a piece of software is a medical device;
- A spreadsheet can be a medical device where it performs a critical calculation (or more) that could adversely affect someone’s health, although obviously Excel, or other spreadsheet software, is not;
- There is a drive to introduce eUDIs (electronic unique device indicators) for apps;
- Telehealth software that advises a user that their readings are out-of-line with their normal levels is on the borderline, and could be considered a medical device.
Alex’s presentation was a deal scarier, because he was looking forward to the changes to data protection legislation introduced in the previous EU parliament which that parliament apparently bound the new EU parliament to implement. Key points Alex made were:
- There is a fundamental difference between healthcare information, and marketing & social media information – whereas we don’t want any secondary processing of the latter, we do want secondary processing of the former, to tell us when something with our health needs attention (note the separation of health was a key recommendation of DHACA‘s response to the EU Green Paper, available to members on the DHACA website); currently the proposed legislation treats both equally;
- Even if information to be processed is made anonymous to current day standards, future developments may render it possible to remove that anonymity – a process called “mosaicing” – for which organisations will still be held liable, with potentially very heavy fines (up to the higher of 5% of global turnover or €100M);
- The current proposals, if enacted, will have a devastating impact on much of the big data/analytic work in the EU that is underpinning medical advances at present, as well as the ability to run clinical trials.
Alex went on to pass a few comments on the proposed changes to medical/in-vitro device legislation, including:
- There will be a significant increase in the requirement to engage notified bodies, so much less self-certification;
- There is a widening of the definition of ‘accessory’ that includes the word ‘assist’;
- Rapporteur Liese (also a GP) has proposed adding the word ‘indirect’ to the references to “direct medical purposes” and to “direct impacts” so as to read “direct or indirect medical purposes” etc. – this would result in a vast amount of additional software (and hardware) being brought within the ambit of the legislation and so essentially set back medical practice many years, although Alex is hopeful it will not be accepted.
As always, our especial thanks to Baker Botts for their generous hospitality.