In a previous post I have analysed the consequences of the European Court of Justice’s Ker-Optika judgment for e-commerce in physical medical devices. This post extrapolates the reasoning of the European Court in that case with respect to the provision or sale of medical devices as services in the context of eHealth services. My conclusion is that eHealth services constituting medical devices are regulated identically under EU law to physical medical devices and analyses the consequences of this.
Refresher; are eHealth services regulated under the EU Medical Devices Directive?
EU member states are not under all circumstances allowed to restrict the sale of medical devices to only physical outlets that specialise in medical devices. That is the outcome of the recent Ker-Optika judgment, concerning a dispute about the legality of Hungarian legislation that reserves the sale of contact lenses to shops that specialise in the sale of medical devices and, consequently, prohibits the sale of contact lenses via the Internet.
This has important consequences for the eHealth services industry in the EU, because eHealth services may very well constitute medical devices in the meaning of Directive 93/42 (“MDD”) as amended. In fact, many eHealth services have characteristics that cause them to fall within the scope of the concept of ‘medical device’ as defined in the MDD. Any software provided as service or software application provided to an end user for diagnostic and/or therapeutic purposes will normally constitute a medical device caught within the scope of the MDD. Indeed, with the adoption of Directive 2007/47 amending the MDD it has been clarified beyond doubt that standalone software can also constitute a medical device. That means that eHealth services constituting a medical device or involving a medical device must be CE marked as required under the MDD and the local national implementation of that directive, because otherwise they are on the market illegally. In practice however many eHealth services and applications do not meet this requirement and the level of awareness of regulatory compliance on the part of developers of such products and physicians prescribing them is very low.
Typical candidates for inclusion in the scope of medical devices are for example remote monitoring tools that monitor the physical condition of a patient via the internet and include a software algorithm that warns a physician if the patient’s parameters give cause for this. Another candidate would be remote readout and interpretation of blood values, like glucose or other critical values allowing a patient to adjust medication to the readout. As I have argued on other occasions, prime candidates are internet websites that allow individuals to assess their health risks or apps that psychiatric patients can use on their iPad to condition themselves for and report to their psychiatrist about otherwise threatening situations that may provoke panic attacks. Another good example is a medical decision support system running on a central server.
And finally, many of the telemedicine applications mentioned in the Commission’s Communication on telemedicine for the benefit of patients, healthcare systems and society will fall within that scope. Therefore, the legal situation with respect to telemedicine is a lot less unclear than the Commission states in its Communication on telemedicine for the benefit of patients, healthcare systems and society, because telemedicine will largely be an information society service regulated under the e-Commerce directive and the MDD.
Consequences for eHealth services
Because the e-Commerce Directive also applies to the sale or provision of services, it applies likewise to medical devices that are sold through the internet as an eHealth service, as has been confirmed by the European Commission in the Explanatory Memorandum to the Cross-Border Healthcare Directive and in the Communication on telemedicine for the benefit of patients, healthcare systems and society.
If we apply the reasoning in the Ker-Optika judgment, this means that EU member states cannot restrict the provision of eHealth services in general with the sole argument that the physical presence of the patient and the health professional in the same place is required at all times. This is for example one of the major obstacles to telemedicine mentioned in the Commission’s communication on telemedicine for the benefit of patients, healthcare systems and society. This obstacle has been to an extent removed by the Ker-Optika judgment. However, an EU member state could prescribe that (certain) eHealth services can only be offered after initial expert clinical intervention, e.g. after prescription by a physician or after an initial consult to define the parameters of the eHealth service.
In addition, in case of cross-border eHealth services EU member states may restrict the freedom to provide those on grounds of the protection of public health (see ee article 3 (2) juncto article 4 (a) (i) 2nd indent e-Commerce directive), provided however that
- the eHealth service concerned prejudices public health or presents a serious and grave risk of prejudice to those objectives and that
- the measures taken are proportionate to those objectives (Article 4 (a) (ii) and (iii) e-Commerce directive) and that
- the EU member state has concerned has asked the member state in which the provider is established to take measures and the latter did not take such measures, or they were inadequate, and notified the European Commission and the EU member state in which the provider is established of its intention to take such measures (article 4 (b) e-Commerce directive).
The Commission has indicated in its Communication on telemedicine for the benefit of patients, healthcare systems and society that
“for business-to- business (professional-to-professional) telemedicine services, such as teleradiology, the country of origin principle applies: the service offered by the professional must comply with the rules of the Member State of establishment. In the case of business-to-consumer activities (which might be relevant to telemonitoring services) the contractual obligations are exempted from the country of origin principle: the service might need to comply with the rules of the recipient’s country.”.
It is unclear to me why the Commission would want to make this distinction between B2B and B2C eHealth services, as there is no clear basis for that in the e-Commerce directive.
As explained above, national rules on how physical medical devices may be provided fall within the scope of the rules on the free movement of goods. This does not however apply to eHealth services in the same way. In the Ker-Optika case the Court held that this was an unregulated field under the e-Commerce directive because “requirements applicable to the delivery of goods” were explicitly stated to be outside the coordinated field pursuant to article 2 (h) (ii) e-Commerce directive. Consequently, the Court held, the national rules which relate to the conditions under which goods sold via the Internet may be supplied within the territory of a Member State fall outside the scope of that directive. Article 2 (h) e-Commerce Directive that defines the coordinated field of the e-Commerce Directive does not contain a similar limitation of the scope of the directive for information society services, so these are fully within the scope of the e-Commerce directive. This means that eHealth service providers are fully subject to the internal market clause in article 3 of the e-Commerce Directive (free provision of services provided that the provider meets the requirements for the activity concerned of the member in which it is established). Those member states may pose requirements with which the service provider has to comply in respect of:
- the taking up of the activity of an information society service, such as requirements concerning qualifications, authorisation or notification,
- the pursuit of the activity of an information society service, such as requirements concerning the behaviour of the service provider, requirements regarding the quality or content of the service including those applicable to advertising and con- tracts, or requirements concerning the liability of the service provider (Article 2 (h) (i) e-Commerce directive)
This means that it is very attractive to engage in forum shopping in the EU, because an eHealth services provider would logically establish itself in the EU jurisdiction with the most favourable eHealth regime and subsequently export that to the other member states via the internal market clause. Larger companies can choose out of which of their subsidiaries they will conduct the activities concerned.
In their implementation of EU directives member states have to observe the basic freedoms granted under the TFEU and the requirements that they may impose within the coordinated field have to be proportionate (see for example C-315/92 Clinique  ECR 317, point 17). Member states have to be able justify the proportionality of their rules. Since the provisions on the free movement of services are highly similar (and some might argue identical) on the point of restriction of market access and possible justifications for them, the reasoning of the European Court in the Ker-Optika case would arguably be similar when applied to eHealth services. Whether or not a restriction in the form of a prior mandatory examination in person by a physician (as opposed for example to a video conference consultation) is justified will depend on the risks associated with the condition that the eHealth service seeks to treat. Conversely, the fact that there is a high safety risk for users and patients if the eHealth service fails, is not as such an argument to prohibit an eHealth service for a particular purpose altogether.
Finally, since article 168 of the Treaty on the Functioning of the EU provides that the EU is not entitled to regulate healthcare as such, the scope and content of healthcare services will remain member state competence, as the Commission also states in its eHealth communication. However, the Commission has stated in that same document that as a general principle the classification of specific telemedicine services as medical acts should ensure that these meet the same level of requirements as equivalent non-telemedicine services (e.g. teleradiology vs. radiology). This principle ensures that adequately regulated health services are not replaced by less regulated telemedicine services and it avoids discrimination between providers of the same service, which would be incompatible with the e-Commerce Directive.
One other important point is that any member states’ rules that have an impact on eHealth services are most likely technical regulations are caught under Directive 98/34/EC as amended by Directive 98/48/EC that establishes a procedure imposing an obligation on Member States to notify the Commission and each other of all draft technical regulations “concerning products and Information Society Services, including telemedicine”, before they are adopted in national law. If this has not taken place the European Court has ruled in a line of case law including the CIA Security case and the LIDL Italy case “that breach of the obligation to notify renders the technical regulations concerned inapplicable, so that they are unenforceable against individuals”. As a result, eHealth providers have a strong instrument to use against technical measures impacting on eHealth services that have not gone through the notification procedure correctly and were duly scrutinized by the European Commission.
The Ker-Optika case confirms many of the legal assumptions that the Commission has previously made about the legal status of e-Health services. eHealth services that constitute medical devices fall within the scope of the e-Commerce directive. As a result, advertising and sales of these services are covered by that directive. Also the way the services are provided is harmonised under the e-Commerce directive and although it may still be regulated by EU member states in certain detail, such regulation must meet the proportionality requirements for restrictions on the free provision of services. If member states takes measures to regulate e-commerce in eHealth services, they must notify these to the European Commission for them to be enforceable against companies and private persons.