HIMSS_logoOn Thursday 8 May I presented about EU regulation of mobile medical apps at the HIMSS Mobile Medical Apps roadshow in Berlin.

The European Commisison’s Green Paper on mHealth has been hotly anticipated for quite a long time (at least by me!), so expectations were high. So high actually that I have not heard exultantly positive reactions to the Green Paper so far. The biggest problem people seem to have with it is that the Staff Working Document does contain much new compared to the telemedicine Staff Working Document and that the Green Paper predominantly contains questions grouped by policy areas, rather than answers or even a hint of the policy directions the Commission is thinking  about. Instead, at this stage the Commission has limited itself to asking the stakeholders what they think the Commission should do. The Green Paper poses 23 questions in 11 policy areas, which is a lot of questions in a wide range of issues.

I, for myself, have mixed feeling about the Green Paper. On the one hand I would have really liked for the Commission to have been more transparent about what it considers viable policy options. On the other, I understand that the Commission is operating in a situation with many moving policy parts (both internal and external) as we can see from the eHealth Action Plan 2012 – 2020 (see also here for my commentary to that), which it tries to demonstrate – I think – by asking so many questions in so many different areas. This is one of the central themes in my MMA presentation, embedded below. The fact that we have a Green Paper is progress, in a way.

I’ll start with some of the items I find the most relevant and interesting, just because I see companies struggle with them all the time. I’ll follow up with an additional blog on other items in the Green Paper.


One of the reasons why the Green Paper is far more wide open than many would have hoped, is competence of the EU in mHealth, which the Commission puts very diplomatically as:

“Many of the issues may not be within the competence of EU law, but the EU can still act as a clearing house for best practice and can help to stimulate innovation in an area of huge potential.”

This, I think, is a core dilemma for the Commission, because mHealth delivery is very closely connected to local provision of healthcare. As Julian Hitchcock and I have argued in relation to genetic testing, national provision of healthcare is outside the scope of EU competence under the current Lisbon Treaty and ensuing Treaty on Function of the EU; the EU is short on competence in healthcare, and this is very apparent in policy areas like mHealth. This makes mHealth a very sensitive political area for the Commission, because it will have to make sure that it does not step on the toes of member states and mobilizes them for the things its needs their cooperation in, like the eHealth Networks under the Cross-Border Patient Rights Directive.

Personal data

Big data, data protection and security are very important items for mHealth and you can read about them herehere and here as well as in the embedded presentation above. Also, the General Data Protection Regulation proposal that will unify EU data protection regulation has been particularly unmindful of the use of personal data concerning health in mobile business models, courtesy of DG Justice of the Commission itself (for the proposal) and the European Parliament (for not making it better). No wonder that DG CNECT, which is driving the Green Paper, is asking the outside world how to come up with workable solutions because it apparently is unable to get through within the Commission itself.

For more nuance and detail on data protection in relation to mHealth, see my DIA Euromeeting presentation here and an interview on Datamonitor here. Let’s suffice by saying that the GDPR is already future healthcare services hostile, with its problematic regulatory attitude towards everything we like to do m/eHealth: monitoring, profiling and datafication of human subjects in order to predict, prevent, diagnose and discover unknown unknowns about human diseases by finding correllations much more effectively. Why can’t we embrace these possibilities? We have new ethical problems, but we do not seem to have new ethics that can solve them (free after Michael Lotti, ‘Ethics and the Information Age’), so we continue to prefer substandard human judgment calls over more accurate and reliable technology solutions. We don’t want technology to spy on us, but we do want it to keep us out of harm’s way. The General Data Protection Regulation is focused mainly on the first, and neglects the second to the detriment of us all.

“State of play on the applicable EU legal framework”

Under this heading we see some of the interesting points from a legal/regulatory perspective, like a discussion of the borderline between “medical” and “lifestyle” devices with the Commission stating that

“In the EU, there are no binding rules as to the delimitation between lifestyle and wellbeing apps and a medical device or in vitro diagnostic medical device. […] Since this delimitation is not yet clarified through binding rules, when the Medical Devices Directives do not apply to apps, clarity is required as to the rules with which they must comply. The fact, that Union legislation could not yet address latest developments in this sector and that the Court has not had the opportunity to clarify the applicability of existing legislation on these newly developed apps, still leaves room for interpretation.”

This is too simple in my view. There are binding rules: the existing medical devices directives. There is clarification from the Court about the borderline between lifestyle / wellbeing on the one hand and medical on the other (Brain Products case). We still have room for interpretation because the MEDDEV on standalone software as medical device was not the clearest of documents and it is taking the responsible MDEG for ever to revise it (and we don’t even know if the result will even address mHealth). What I do agree with is that these rules are not particularly clear and moreover not particularly effectively harmonised, as we have seen in the Lycocentre case. And then the Commission is too polite to start about its own regulatory rubble in the form of the eLabeling regulation, which requires – I kid you not – a paper label for mHealth apps that are medical devices not intended for professional users (the big majority of them). Also, there is the outright crazy proposal of the European Parliament to revise the very definition of medical device as to include “indirect medical purpose” just because rapporteur Liese wants to regulate ‘life style tests’ (whatever those may be).

So, as to the question in the Green Paper “Are safety and performance requirements of lifestyle and wellbeing apps adequately covered by the current EU legal framework?” I would say yes because medical devices regulation (if device) has this covered already. Not so much under other EU safety regulation (if other), because the General Product Safety Directive and Product Liability Directive are unclear as to whether apps (or standalone software in general) is in scope.

Basically everything else flanking performance and safety is inadequately regulated at the moment:

  • labeling (eLabeling regulation requires paper label)
  • free movement under single binding classification (Lycocentre case says each member state can classify app differently)
  • transparent criteria for classification (opaque judgment in Brain Products case: we still don’t know what medical means in relation to general health and wellbeing devices such as treadmills and other sporting or health goods)

So, clever way to pose the question but no points because it’s the wrong question, which should have been “Does the current EU legal framework create sufficient conditions for an internal market for safe and effective mHealth apps?”

Patient safety and transparency of information

This section of the Green Paper overlaps largely with the previous one, because it is also about safety and performance of mHealth solutions, but places it in the key of user oriented certification for utility (is it useful for what the user wants to user for?) rather than in terms of safety and performance. However, it shows that the Commission is still confusing mHealth apps that are regulated as medical devices and other mHealth apps with a statement like “Safety may be demonstrated by using user safety standard or specific quality labels.” – yes, this is true perhaps for health/wellness apps that are not devices but no, it is not true for mHealth apps that are devices. This mixup is very prevalent in the mHealth market and leads to the situation that users and app developers think that CE marking of apps that are devices is optional if quality labels exist. Clinicians are publicly asking for rules that would guarantee the safety of medical apps (hello! standalone software was always covered by the medical devices directives and certainly after the 2007 revision that inserted software specifically in the definition of medical device) but are ignorant about medical devices law or ISO/IEC standards.

So do we need certification schemes to promote safety and usability? Can’t hurt, provided that those involved know what they are doing. I have seen ‘experts’ say in national news that CE marking of apps is optional and you shouldn’t spend a lot of time worrying about that stuff. I have had accountancy firms working on such schemes visit me and look at me surprised that I would propose completed CE marking for an app that is a medical device as a necessary condition for certification, or at least argumentation of the app developer as to the regulatory status of the app, just to check that they know what they’re doing and take safety and performance standards seriously. That is not top of mind at all. There is a lot of work to be done here.

As to the Green Paper question “How to ensure the safe use of mHealth solutions for citizens assessing their health and wellbeing?” : let’s start by having clear safety rules for software that can pose a risk to people in this space. They already exist for medical devices, but we can update the General Product Safety and Product Liability Directive to include software or make it very clear these do not cover software, at least that’s clear then.


More in the next post about the Green Paper! Don’t forget, the deadline for sending in feedback is 3 July. As a follow-up to this Green Paper and on the basis of the responses received, the Commission will announce possible next steps in the course of 2015.