Manuel Alonso, Partner at JAUSAS, reviews in this article recent trends in the mHealth app market, and assesses the reasons behind these developments. Manuel then goes on to focus on mHealth in Spain, reporting on local initiatives to promote mHealth, and explains the legal framework and related initiatives at an EU level that apply. Finally, Manuel provides a number of recommendations for developers in regard to keeping their mHealth apps compliant. A couple of months ... Manuel Alonso, Partner at JAUSAS, reviews in this article recent trends in the mHealth app market, and assesses the reasons behind these developments. Manuel then goes on to focus on mHealth in Spain, reporting on local initiatives to promote mHealth, and explains the legal framework and related initiatives at an EU level that apply. Finally, Manuel provides a number of recommendations for developers in regard to keeping their mHealth apps compliant. A couple of months ago, while wandering through the MWC (Mobile World Congress) in Barcelona, I heard the answer “the only way is app!” to the question “How do you expect the eHealth market to develop next year?” Funny or not, the answer seems accurate. mHealth, understood as both applications that may be connected to medical devices or sensors (bracelets, smartwatches) and apps aimed at providing real time, accurate information related to health and medication reminders, is the star player in the eHealth scenario. And in the mHealth kingdom, the app reigns. Let’s look at some global figures. mHealth, as a business, is growing in two digit figures, up to 50% annually, and well-known brands, both in the IT and pharma market, are constantly investing in co-branded solutions. The FDA reports that there are more than 100,000 apps related to health but the truth is that the demand for new apps due to the impact of wearable technology is providing a rich environment for a huge increase over and above this reported number. The European Commission recently estimated that in 2017, over 3,000 million people will have access to mobile devices in the world, and up to 50% of them will use mHealth apps (including lifestyle and wellbeing apps)1 . What is the reason for this mHealth app trend? One factor is that health service providers are trying to reduce the costs involved in order to access the maximum number of potential users and mobile technology provides an optimal solution to increase efciency without incremental costs, relieving the pressure on healthcare systems, both private and public. Another factor is that users expect and ask for empowerment, understood as the capacity to handle better and more accessible information from health professionals, and particularly to access on-demand information when and where requested, including diagnostic and emergency services, avoiding the need for the patient’s physical presence in a healthcare institution. The classification of these healthrelated apps depending on their purpose, shows that a clear distinction must be made between apps that monitor physical activity, but that are not linked to any diagnosis of patients, and those apps addressed exclusively to patients and health professionals, where the concept of software as a medical device can be discussed. As a principle, if an app is considered a diagnostic and/or therapeutic tool, the app is to be regarded as a ‘medical device,’ which demands the imposition of certain legal obligations for such app. In Spain, the Health Administration, both through national and local institutions, strongly supports mHealth initiatives. In Andalucía, the Agencia de Calidad Sanitaria (Health Quality Agency), under the control of the local Administration (Junta de Andalucía) has implemented a full strategy for mHealth, and since 2012 has provided a comprehensive guide of recommendations for app developers, health professionals and legal counsel to develop and distribute secure, compliant and quality checked apps. The Agency even provides a certification to those apps that comply with the fullrecommended process and includes them in its specific certified catalogue, where both health professionals and final users can access them. This is done absolutely free of charge and is open to both Spanish and foreign applications. Likewise, in Catalonia, the local Government, Generalitat de Catalunya, through its Health Department, has implemented an institutional site designed to ‘promote the development and use of ICT and networking in the field of health, and monitoring of emerging initiatives and provides services for the standardisation and accreditation of products2.’ At this URL (in the second footnote) are also found guidelines, standards and an accreditation process for all initiatives addressed to improve the awareness of the impact of mHealth, alongside an updated list of certified health apps, so that potential users can rely on quality control regarding the security and legal compliance of their medical personal data. The most relevant legal framework in Spain for mHealth and apps addressed to the provision of eHealth services involves the following legislation: Data protection Apart from the Ley Orgánica de Protección de Datos 15/1999 and Real Decreto 1720/2007 Regulation on Data Protection, both derived from the EU Directive 95/46, the new General Data Protection Regulation (‘GDPR’), which entered into force on 24 May 2016, shall be fully applicable from 25 May 2018, in substitution of the Data Protection Directive (95/46), and shall be directly applicable in all Member States. The concept of sensitive data is fully applicable when talking about mHealth. And an inaccurate processing of the personal data not only of patients but of any subject may imply huge fines. The need to protect, process with the corresponding technical protective measures and archive the sensitive medical data of subjects using health related apps shall require a strict protocol for sponsors, developers and health professionals. The GDPR aims to provide legal certainty for businesses and create trust in health services with a uniform and high level of protection for individuals. It also introduces the new concept of ‘data protection by design,’ which aims to create a proactive attitude in all concerned regarding the processing of personal data. Additionally, in order to assist in this new data protection environment, in June 2016, the Commission submitted to the Article 29 Working Party (‘WP29’) a final draft of the Code of Conduct on privacy for mobile health applications for approval. The Code was drafted to ensure compliance with both the Data Protection Directive and the GDPR, and the WP29 recently provided feedback on the draft Code. After the entry into application of the GDPR in May 2018, the European Data Protection Board will also seek to approve the Code. The core of the Code of Conduct consists of practical guidelines for app developers3. Key elements are:
- User’s consent: Explicit consent needs to be obtained for the processing of health data. The user’s consent for the processing of personal data must be free, specific and informed.
- Purpose limitation and data minimisation: The data may be processed only for specific and legitimate purposes. Only data that are strictly necessary for the functionality of the app may be processed.
- Privacy by design and by default: The app developer has to pre-select the least privacy invasive choice by default.
- Data subjects’ rights and information requirements: The user has the right to access their personal data, to request corrections and to object to further processing.
- Data retention: Personal data may not be stored longer than necessary.
- Security measures: Technical and organisational measures need to be implemented to ensure the confidentiality, integrity and availability of the personal data processed and to protect against accidental or unlawful destruction, loss, alteration, disclosure, access or other unlawful forms of processing.
- Advertising in mHealth apps: There is a distinction between advertising based on the processing of personal data (requiring opt-in consent) and advertising not relying on personal data (opt-out consent).
- Use of personal data for secondary purposes: Any processing for secondary purposes needs to be compatible with the original purpose.
- Disclosing data to third parties for processing operations: The user needs to be informed prior to disclosure and the app developer needs to enter into a binding legal agreement with the third party.
- Data transfers: For data transfers to a location outside the EU/EEA, there needs to be legal guarantees permitting such transfers.
- Personal data breach: The Code provides a checklist to follow in case of a personal data breach, such as notification to a data protection authority.
- Data gathered from children: the most restrictive data processing approach needs to be taken and a process implemented to obtain parental consent.
- Decide if their app is to be considered a medical device. This decision has serious legal implications.
- Ask their lawyers to review the personal data flow in the app and its potential impact under the new GDPR, prior to May 2018.
- Try to adhere to the guidelines provided by the European Commission through their publications.
- Follow the recommended compliance process and achieve a quality certification in order to provide comfort to potential users who may have concerns.
Sign up to our email digest
Click to subscribe or manage your email preferences.