The mHealth market: app trends and compliance

Manuel Alonso, Partner at JAUSAS, reviews in this article recent trends in the mHealth app market, and assesses the reasons behind these developments. Manuel then goes on to focus on mHealth in Spain, reporting on local initiatives to promote mHealth, and explains the legal framework and related initiatives at an EU level that apply. Finally, Manuel provides a number of recommendations for developers in regard to keeping their mHealth apps compliant. A couple of months ... Manuel Alonso, Partner at JAUSAS, reviews in this article recent trends in the mHealth app market, and assesses the reasons behind these developments. Manuel then goes on to focus on mHealth in Spain, reporting on local initiatives to promote mHealth, and explains the legal framework and related initiatives at an EU level that apply. Finally, Manuel provides a number of recommendations for developers in regard to keeping their mHealth apps compliant. A couple of months ago, while wandering through the MWC (Mobile World Congress) in Barcelona, I heard the answer “the only way is app!” to the question “How do you expect the eHealth market to develop next year?” Funny or not, the answer seems accurate. mHealth, understood as both applications that may be connected to medical devices or sensors (bracelets, smartwatches) and apps aimed at providing real time, accurate information related to health and medication reminders, is the star player in the eHealth scenario. And in the mHealth kingdom, the app reigns. Let’s look at some global figures. mHealth, as a business, is growing in two digit figures, up to 50% annually, and well-known brands, both in the IT and pharma market, are constantly investing in co-branded solutions. The FDA reports that there are more than 100,000 apps related to health but the truth is that the demand for new apps due to the impact of wearable technology is providing a rich environment for a huge increase over and above this reported number. The European Commission recently estimated that in 2017, over 3,000 million people will have access to mobile devices in the world, and up to 50% of them will use mHealth apps (including lifestyle and wellbeing apps)1 . What is the reason for this mHealth app trend? One factor is that health service providers are trying to reduce the costs involved in order to access the maximum number of potential users and mobile technology provides an optimal solution to increase efciency without incremental costs, relieving the pressure on healthcare systems, both private and public. Another factor is that users expect and ask for empowerment, understood as the capacity to handle better and more accessible information from health professionals, and particularly to access on-demand information when and where requested, including diagnostic and emergency services, avoiding the need for the patient’s physical presence in a healthcare institution. The classification of these healthrelated apps depending on their purpose, shows that a clear distinction must be made between apps that monitor physical activity, but that are not linked to any diagnosis of patients, and those apps addressed exclusively to patients and health professionals, where the concept of software as a medical device can be discussed. As a principle, if an app is considered a diagnostic and/or therapeutic tool, the app is to be regarded as a ‘medical device,’ which demands the imposition of certain legal obligations for such app. In Spain, the Health Administration, both through national and local institutions, strongly supports mHealth initiatives. In Andalucía, the Agencia de Calidad Sanitaria (Health Quality Agency), under the control of the local Administration (Junta de Andalucía) has implemented a full strategy for mHealth, and since 2012 has provided a comprehensive guide of recommendations for app developers, health professionals and legal counsel to develop and distribute secure, compliant and quality checked apps. The Agency even provides a certification to those apps that comply with the fullrecommended process and includes them in its specific certified catalogue, where both health professionals and final users can access them. This is done absolutely free of charge and is open to both Spanish and foreign applications. Likewise, in Catalonia, the local Government, Generalitat de Catalunya, through its Health Department, has implemented an institutional site designed to ‘promote the development and use of ICT and networking in the field of health, and monitoring of emerging initiatives and provides services for the standardisation and accreditation of products2.’ At this URL (in the second footnote) are also found guidelines, standards and an accreditation process for all initiatives addressed to improve the awareness of the impact of mHealth, alongside an updated list of certified health apps, so that potential users can rely on quality control regarding the security and legal compliance of their medical personal data. The most relevant legal framework in Spain for mHealth and apps addressed to the provision of eHealth services involves the following legislation: Data protection Apart from the Ley Orgánica de Protección de Datos 15/1999 and Real Decreto 1720/2007 Regulation on Data Protection, both derived from the EU Directive 95/46, the new General Data Protection Regulation (‘GDPR’), which entered into force on 24 May 2016, shall be fully applicable from 25 May 2018, in substitution of the Data Protection Directive (95/46), and shall be directly applicable in all Member States. The concept of sensitive data is fully applicable when talking about mHealth. And an inaccurate processing of the personal data not only of patients but of any subject may imply huge fines. The need to protect, process with the corresponding technical protective measures and archive the sensitive medical data of subjects using health related apps shall require a strict protocol for sponsors, developers and health professionals. The GDPR aims to provide legal certainty for businesses and create trust in health services with a uniform and high level of protection for individuals. It also introduces the new concept of ‘data protection by design,’ which aims to create a proactive attitude in all concerned regarding the processing of personal data. Additionally, in order to assist in this new data protection environment, in June 2016, the Commission submitted to the Article 29 Working Party (‘WP29’) a final draft of the Code of Conduct on privacy for mobile health applications for approval. The Code was drafted to ensure compliance with both the Data Protection Directive and the GDPR, and the WP29 recently provided feedback on the draft Code. After the entry into application of the GDPR in May 2018, the European Data Protection Board will also seek to approve the Code. The core of the Code of Conduct consists of practical guidelines for app developers3. Key elements are:

• User’s consent: Explicit consent needs to be obtained for the processing of health data. The user’s consent for the processing of personal data must be free, specific and informed.
• Purpose limitation and data minimisation: The data may be processed only for specific and legitimate purposes. Only data that are strictly necessary for the functionality of the app may be processed.
• Privacy by design and by default: The app developer has to pre-select the least privacy invasive choice by default.
• Data subjects’ rights and information requirements: The user has the right to access their personal data, to request corrections and to object to further processing.
• Data retention: Personal data may not be stored longer than necessary.
• Security measures: Technical and organisational measures need to be implemented to ensure the confidentiality, integrity and availability of the personal data processed and to protect against accidental or unlawful destruction, loss, alteration, disclosure, access or other unlawful forms of processing.
• Advertising in mHealth apps: There is a distinction between advertising based on the processing of personal data (requiring opt-in consent) and advertising not relying on personal data (opt-out consent).
• Use of personal data for secondary purposes: Any processing for secondary purposes needs to be compatible with the original purpose.
• Disclosing data to third parties for processing operations: The user needs to be informed prior to disclosure and the app developer needs to enter into a binding legal agreement with the third party.
• Data transfers: For data transfers to a location outside the EU/EEA, there needs to be legal guarantees permitting such transfers.
• Personal data breach: The Code provides a checklist to follow in case of a personal data breach, such as notification to a data protection authority.
• Data gathered from children: the most restrictive data processing approach needs to be taken and a process implemented to obtain parental consent.

Medical devices legislation EU Directive 93/42 and its corresponding Spanish law, Real Decreto 1591/2009, provide the applicable definition of a ‘Medical Device.’ A health app is essentially a software product. If it aims to diagnose, prevent or treat illnesses, injuries or disabilities, it can be considered a Medical Device, especially if it was meant by the manufacturer for an individual’s medical use, either directly or in combination with other products, and whose main efect is not caused by a pharmaceutical product. On the contrary, if the purpose is not medical as is the case with a fitness apps, they must not be considered medical devices. However, a new medical devices regulation will come into efect in early 2020. Under this new Regulation, the scope will expand to include new product lines, software designed with the purpose of prediction and prognosis as well as software providing information by means of in vitro examination of specimens derived from the human body, including organ, blood and tissue donations, will also be considered a medical device. Furthermore, software applications regarded as medical devices will see their requirements increased and post-market reporting requirements will be stricter. Regarding apps, the developer is fully responsible for compliance, and is defined as the natural or legal person with responsibility for the design, manufacture, packaging and labelling of a device before it is placed on the market under his own name, regardless of whether these operations are carried out by that person themself or on their behalf by a third party (Article 1(2), f), Directive 93/42). To demonstrate conformity pursuant to the applicable Medical Device Directive, a conformity assessment procedure must be carried out prior to the placing of the product on the market, in order to demonstrate that the product meets the requirements and fulfills the advertised goals. The conformity assessment implies an obligation to keep track of updates and changes in order to ensure ongoing compliance. In February 2016, the European Commission created a working group to draft mHealth assessment guidelines4 on mHealth data quality, producing common quality standards and assessment criteria for health and wellbeing apps. The group includes representatives of patients, health professionals and providers, payers, industry, academia and public authorities. Developers and manufacturers of health apps that don’t comply with mandatory legal requirements may be subject to substantive fines. And liability goes beyond the completion of a conformity assessment procedure. Damages derived from the direct or indirect result of a health app malfunction imply liability for the developer or service provider behind the app. E-Commerce Directive The digital framework in which health apps are distributed implies the intervention of several players, including the app developer, the app stores, ISPs and of course, the final users. E-commerce regulations protect the activity of an ISP whenever it can demonstrate lack of knowledge of wrongdoing on its services, a quick response to any claim regarding the processed data or when the services provided are passive and automated (technical). Nevertheless, issues regarding the intellectual property of the contents included in the app have to be considered, as is the case with any software product, and given the trend to commercialise apps with several developers or sponsoring brands, during development a thorough check of all IP rightsholders must be carried out to avoid future claims. Conclusions In Spain, this legal framework, and the implementation of EU regulations on data protection and cyber security (through the Network and Information Security Directive), plus the guidelines provided by both public administrations and private initiatives, seem sufcient to provide a steady environment for app development and the expansion of the health apps industry. At the recent Mobile World Congress, several initiatives were exhibited, and the principal problem detected by the professional community were the ‘zombie-apps’: all those apps that are not maintained, updated or efciently managed, which thus damage the whole market. Some recommendations for developers, from a practical point of view, would be to:

• Decide if their app is to be considered a medical device. This decision has serious legal implications.
• Ask their lawyers to review the personal data flow in the app and its potential impact under the new GDPR, prior to May 2018.
• Try to adhere to the guidelines provided by the European Commission through their publications.
• Follow the recommended compliance process and achieve a quality certification in order to provide comfort to potential users who may have concerns.

Assuming that mHealth is going to grow and that the market, manufacturers, developers and final users demand quality and secure apps, the sooner developers include quality control processes both legal and technical, the sooner their app shall have a better chance of succeeding.