Consequences of the EU Ker-Optika case for eHealth services

In a previous post I have analysed the consequences of the European Court of Justice’s Ker-Optika judgment for e-commerce in physical medical devices. This post extrapolates the reasoning of the European Court in that case with respect to the provision or sale of medical devices as services in the context of eHealth services. My conclusion is that eHealth services constituting medical devices are regulated identically under EU law to physical medical devices and analyses the consequences of this.

Refresher; are eHealth services regulated under the EU Medical Devices Directive?

EU member states are not under all circumstances allowed to restrict the sale of medical devices to only physical outlets that specialise in medical devices. That is the outcome of the recent Ker-Optika judgment, concerning a dispute about the legality of Hungarian legislation that reserves the sale of contact lenses to shops that specialise in the sale of medical devices and, consequently, prohibits the sale of contact lenses via the Internet.

This has important consequences for the eHealth services industry in the EU, because eHealth services may very well constitute medical devices in the meaning of Directive 93/42 (“MDD”) as amended. In fact, many eHealth services have characteristics that cause them to fall within the scope of the concept of ‘medical device’ as defined in the MDD. Any software provided as service or software application provided to an end user for diagnostic and/or therapeutic purposes will normally constitute a medical device caught within the scope of the MDD. Indeed, with the adoption of Directive 2007/47 amending the MDD it has been clarified beyond doubt that standalone software can also constitute a medical device. That means that eHealth services constituting a medical device or involving a medical device must be CE marked as required under the MDD and the local national implementation of that directive, because otherwise they are on the market illegally. In practice however many eHealth services and applications do not meet this requirement and the level of awareness of regulatory compliance on the part of developers of such products and physicians prescribing them is very low.

Typical candidates for inclusion in the scope of medical devices are for example remote monitoring tools that monitor the physical condition of a patient via the internet and include a software algorithm that warns a physician if the patient’s parameters give cause for this. Another candidate would be remote readout and interpretation of blood values, like glucose or other critical values allowing a patient to adjust medication to the readout. As I have argued on other occasions, prime candidates are internet websites that allow individuals to assess their health risks or apps that psychiatric patients can use on their iPad to condition themselves for and report to their psychiatrist about otherwise threatening situations that may provoke panic attacks. Another good example is a medical decision support system running on a central server.

And finally, many of the telemedicine applications mentioned in the Commission’s Communication on telemedicine for the benefit of patients, healthcare systems and society will fall within that scope. Therefore, the legal situation with respect to telemedicine is a lot less unclear than the Commission states in its Communication on telemedicine for the benefit of patients, healthcare systems and society, because telemedicine will largely be an information society service regulated under the e-Commerce directive and the MDD.

Consequences for eHealth services

Because the e-Commerce Directive also applies to the sale or provision of services, it applies likewise to medical devices that are sold through the internet as an eHealth service, as has been confirmed by the European Commission in the Explanatory Memorandum to the Cross-Border Healthcare Directive and in the Communication on telemedicine for the benefit of patients, healthcare systems and society.

If we apply the reasoning in the Ker-Optika judgment, this means that EU member states cannot restrict the provision of eHealth services in general with the sole argument that the physical presence of the patient and the health professional in the same place is required at all times. This is for example one of the major obstacles to telemedicine mentioned in the Commission’s communication on telemedicine for the benefit of patients, healthcare systems and society.  This obstacle has been to an extent removed by the Ker-Optika judgment. However, an EU member state could prescribe that (certain) eHealth services can only be offered after initial expert clinical intervention, e.g. after prescription by a physician or after an initial consult to define the parameters of the eHealth service.

In addition, in case of cross-border eHealth services EU member states may restrict the freedom to provide those on grounds of the protection of public health (see ee article 3 (2) juncto article 4 (a) (i) 2nd indent e-Commerce directive), provided however that

  • the eHealth service concerned prejudices public health or presents a serious and grave risk of prejudice to those objectives and that
  • the measures taken are proportionate to those objectives (Article 4 (a) (ii) and (iii) e-Commerce directive) and that
  • the EU member state has concerned has asked the member state in which the provider is established to take measures and the latter did not take such measures, or they were inadequate, and notified the European Commission and the EU member state in which the provider is established of its intention to take such measures (article 4 (b) e-Commerce directive).

The Commission has indicated in its Communication on telemedicine for the benefit of patients, healthcare systems and society that

“for business-to- business (professional-to-professional) telemedicine services, such as teleradiology, the country of origin principle applies: the service offered by the professional must comply with the rules of the Member State of establishment. In the case of business-to-consumer activities (which might be relevant to telemonitoring services) the contractual obligations are exempted from the country of origin principle: the service might need to comply with the rules of the recipient’s country.”.

It is unclear to me why the Commission would want to make this distinction between B2B and B2C eHealth services, as there is no clear basis for that in the e-Commerce directive.

As explained above, national rules on how physical medical devices may be provided fall within the scope of the rules on the free movement of goods. This does not however apply to eHealth services in the same way. In the Ker-Optika case the Court held that this was an unregulated field under the e-Commerce directive because “requirements applicable to the delivery of goods” were explicitly stated to be outside the coordinated field pursuant to article 2 (h) (ii) e-Commerce directive. Consequently, the Court held, the national rules which relate to the conditions under which goods sold via the Internet may be supplied within the territory of a Member State fall outside the scope of that directive. Article 2 (h) e-Commerce Directive that defines the coordinated field of the e-Commerce Directive does not contain a similar limitation of the scope of the directive for information society services, so these are fully within the scope of the e-Commerce directive. This means that eHealth service providers are fully subject to the internal market clause in article 3 of the e-Commerce Directive (free provision of services provided that the provider meets the requirements for the activity concerned of the member in which it is established). Those member states may pose requirements with which the service provider has to comply in respect of:

  • the taking up of the activity of an information society service, such as requirements concerning qualifications, authorisation or notification,
  • the pursuit of the activity of an information society service, such as requirements concerning the behaviour of the service provider, requirements regarding the quality or content of the service including those applicable to advertising and con- tracts, or requirements concerning the liability of the service provider (Article 2 (h) (i) e-Commerce directive)

This means that it is very attractive to engage in forum shopping in the EU, because an eHealth services provider would logically establish itself in the EU jurisdiction with the most favourable eHealth regime and subsequently export that to the other member states via the internal market clause. Larger companies can choose out of which of their subsidiaries they will conduct the activities concerned.

In their implementation of EU directives member states have to observe the basic freedoms granted under the TFEU and the requirements that they may impose within the coordinated field have to be proportionate (see for example C-315/92 Clinique [1994] ECR 317, point 17). Member states have to be able justify the proportionality of their rules. Since the provisions on the free movement of services are highly similar (and some might argue identical) on the point of restriction of market access and possible justifications for them, the reasoning of the European Court in the Ker-Optika case would arguably be similar when applied to eHealth services. Whether or not a restriction in the form of a prior mandatory examination in person by a physician (as opposed for example to a video conference consultation) is justified will depend on the risks associated with the condition that the eHealth service seeks to treat. Conversely, the fact that there is a high safety risk for users and patients if the eHealth service fails, is not as such an argument to prohibit an eHealth service for a particular purpose altogether.

Finally, since article 168 of the Treaty on the Functioning of the EU provides that the EU is not entitled to regulate healthcare as such, the scope and content of healthcare services will remain member state competence, as the Commission also states in its eHealth communication. However, the Commission has stated in that same document that as a general principle the classification of specific telemedicine services as medical acts should ensure that these meet the same level of requirements as equivalent non-telemedicine services (e.g. teleradiology vs. radiology). This principle ensures that adequately regulated health services are not replaced by less regulated telemedicine services and it avoids discrimination between providers of the same service, which would be incompatible with the e-Commerce Directive.

One other important point is that any member states’ rules that have an impact on eHealth services are most likely technical regulations are caught under Directive 98/34/EC as amended by Directive 98/48/EC that establishes a procedure imposing an obligation on Member States to notify the Commission and each other of all draft technical regulations “concerning products and Information Society Services, including telemedicine”, before they are adopted in national law.  If this has not taken place the European Court has ruled in a line of case law including the CIA Security case and the LIDL Italy case “that breach of the obligation to notify renders the technical regulations concerned inapplicable, so that they are unenforceable against individuals”. As a result, eHealth providers have a strong instrument to use against technical measures impacting on eHealth services that have not gone through the notification procedure correctly and were duly scrutinized by the European Commission.

Conclusion

The Ker-Optika case confirms many of the legal assumptions that the Commission has previously made about the legal status of e-Health services. eHealth services that constitute medical devices fall within the scope of the e-Commerce directive. As a result, advertising and sales of these services are covered by that directive. Also the way the services are provided is harmonised under the e-Commerce directive and although it may still be regulated by EU member states in certain detail, such regulation must meet the proportionality requirements for restrictions on the free provision of services. If member states takes measures to regulate e-commerce in eHealth services, they must notify these to the European Commission for them to be enforceable against companies and private persons.

The new Commission eHealth Action Plan, and some thoughts on what it will mean for devices

EU flagLast week the Commission launched its new eHealth Plan (EHAP). It was announced under the header “Putting patients in the driving seat: A digital future for healthcare”. A nice rundown of the relevant documents is here and a good summary by MedTech Europe (Eucomed and EDMA) is here. Then there is the convenient overview and roadmap over here giving an overview of actions to be implemented in 2012 – 2020. You might want to take a look at this Commission presentation on eHealth of last month giving you the short and comprehensive version of what they then expected to be in EHAP.

These developments are important for the medical devices industry, for several reasons. First, more and more medical devices are standalone software and provides as service. Those are now explicitly regulated under the proposed Medical Devices Regulation and proposed In Vitro Diagnostic Devices Regulation. Secondly, more and more medical devices will connect to the internet as part of healthcare services in the internet of things. Thirdly, these devices, both software/service devices and physical ones, need degrees of interoperability to function together.

However, the EU has no direct competence to regulate healthcare or it financing. However, it has competence to regulate the internal market for medicines, medical technology and related services. Therefore, it must resort to regulating the conditions for eHealth services by removing barriers and creating conditions for the uptake, for example by means of the eHealth infrastructure established under article 14 of the Cross Border Patient Rights Directive. Indeed, access to and the conditions under which citizens can receive eHealth services differ wildly between member states. Denmark, for example, is the eHealth champion of Europe while other countries lag far behind.

The goal of the EHAP is

“to improve healthcare for the benefit of patients, give patients more control of their care and bring down costs. While patients and health professionals are enthusiastically using telehealth solutions and millions of Europeans have downloaded smartphone apps to keep track of their health and wellbeing, digital healthcare has yet to reap its great potential to improve healthcare and generate efficiency savings.”

To put this into perspective Commission Vice President for the Digital Agenda Neelie Kroes said at the EHAP launch: “Europe’s healthcare systems aren’t yet broken, but the cracks are beginning to show. It’s time to give this 20th Century model a health check. The new European eHealth Action Plan sets out how we can bring digital benefits to healthcare, and lift the barriers to smarter, safer, patient-centred health services.”

At the same time, the newly appointed Commissioner for Health and Consumer Policy, Tonio Borg, added: “eHealth solutions can deliver high quality, patient-centric, healthcare to our citizens. eHealth brings healthcare closer to people and improves health systems’ efficiency. Today’s Action Plan will help turn the eHealth potential into better care for our citizens. The eHealth Network under the Cross-Border Healthcare Directive channels our joint commitment to find interoperable solutions at EU level.”

With this in mind we would not be exaggerating if we paraphrase as follows: the EU’s healthcare systems are skirting the abyss but eHealth can save the day, if only the Member States can cooperate under the EU’s banner. This, of course is where all the trouble starts for lack of competence of the EU to regulate healthcare directly. Responsibility to define the way to organise and deliver health services and medical care lies within the Member States. In several other areas supporting action from the Commission would be possible, notably under Articles 168, 173, 179 or 114 TFUE (Treaty on Functioning of the EU). As a result you get an EU that harbors absolute eHealth champs like Denmark and absolute laggards. And nobody can agree on joint standards because there aren’t any mandatory ones. Denmark has now put its money on the Continua standards for interoperability of devices, which I think is a very good sign. They have actually issued the first tender for Continua compliant telemedicine services.

The Commission Staff Working Document on Telemedicine that is part of the EHAP package does a great job of summarising the legal and regulatory questions for a typical cross border eHealth service:

Licensing: Does the telemedicine provider also need to be licensed/registered in the Member State of the patient? –  this is harmonised to an extent by the Cross Border Patient Rights Directive that imposes home country control for the service (just like the e-commerce directive does). As eHealth services are sold online more and more, I expect that there will be more friction between the e-Commerce directive and national law, as you can read in my post about the Ker-Optika case. The Ker-Optika judgement has also found its way into the Commission’s recent thinking about telemedince set out in the Staff Working Paper on Telemedicine. The Commission, in order to maximise potential reliance on the Ker-Optika theory of free movement of information society services, states that

“It is important to underline that telemedicine is not a new medical act and does not intend to replace traditional methods of care delivery, such as face-to-face consultations. It rather represents an innovative way of providing health and care services, which, can complement and potentially increase the quality and efficiency of traditional healthcare delivery.”

I am not sure if this theory can be maintained in all scenarios, as it would seem to be based on a concept of telemedicine as monitoring of an already diagnosed disease. However, in practice telemedicine is capable of much more as it becomes more and more autonomous, like new diagnosis and subsequent automatic follow-up. This would mean that the last medical act by a human operator might actually be the prescription or recommendation of a particular expert or clinical decision support system, as already happens with apps that tell people what dose of a medicinal product to take and that are recommended by a physician.

Data Protection: What are the conditions for the legitimate processing of personal data related to health? Processing of data concerning health is harmonised under the Data Protection Directive which provides for regulatory one-stop-shopping but does not provide for full harmonization. However, as the Article 29 Working Party’s opinion on epSOS shows, things get really complex very quickly and it is very difficult to set up a eHealth services structure that stands up to scrutiny. And then the Data Protection Directive is currently being replaced by something a lot more stricter in the field of health data, the General Data Protection Regulation.

Reimbursement: Will the cross-border telemedicine service be reimbursed? This is where things get really complex as Regulation (EC) No 883/2004 on the coordination of social security systems is not applicable to telemedicine services because it expressly requires the physical presence of the patient in the Member State of treatment (the one of the healthcare provider). This means you have to fall back the Directive on the application of patients’ rights in cross-border healthcare that sets as a general rule that the Member State of affiliation shall ensure that the costs incurred by any insured person receiving cross-border healthcare are reimbursed, if the healthcare in question is among the benefits to which the insured person is entitled in the Member State of affiliation. Of course the question is if cross-border healthcare is among the things reimbursed in the patient’s member state. And – although there are some conditions – Member States may still require prior permission.

Liability: What is the liability regime applicable in case damage arises? Again, difficult as EU harmonises product liability, it does not harmonise professional liability for medical treatment and member states even diverge in how they treat professional liability for malfunctioning devices used for provision of medical services. Furthermore, as I have recently researched, Member States tend to think quite differently about whether software is a ‘product’ in the meaning of the product liability directive.

Relevant jurisdiction and applicable law in case of damage: What are the relevant jurisdiction and the law applicable in case damage arises? Well, as the case study on this point in the Staff Working Document on Telemedicine shows, things can get very complex even though EU law harmonises jurisdiction to an extent.

What will this mean for the devices sector? Promotion of interoperability all around as party line. Actually the new Medical Devices Regulation proposal already has that modestly vectored in the new essential requirements (no 11.5, which provides that devices that are intended to be operated together with other devices or products shall be designed and manufactured in such as way that the interoperability is reliable and safe). Now that the Commission proposes to be able to change the essential requirements by delegated act (convenient) or issue Common Technical Specification by implementing act, the Commission has the tools to force interoperability from a safety policy perspective. You can expect tenders for devices enabling eHealth to include interoperability requirements, because these systems are useless if they can’t scale and interoperate. The Commission is further planning to issue (see the roadmap):

And the Commission will continue the international harmonisation efforts under the Memorandum of Understanding with the US on eHealth on interoperable eHealth systems and ICT skills. Remember that international harmonisation is one of the explicit goals under the proposals for the Medical Devices Regulation and the In Vitro Diagnostic Devices Regulation, and that the EU and US are in the IMDRF (former GHTF) together.

So, we aren’t there yet. As the SWP on Telemedicine concludes:

This Staff Working Paper underlines the importance of legal clarity in cultivating trust and acceptability of telemedicine. Furthermore, it is intended to serve as guidance to Member States, raising awareness on what telemedicine is and what they are committing to when they adopt it as a type of medical act, or reimbursable health service.

Finally, this paper shall serve as a starting point for discussion with Member States on the opportunity to tackle at EU level remaining legal uncertainties created by divergent national regimes such as the issue of medical liability.

That’s exactly what this is: the start of the discussion about an opportunity. Rome wasn’t built in a day either but if the EU – and most importantly the Member States – really want to leverage Moore’s law into eHealth, all involved will need to up their game (except Denmark) and start acting more like Denmark to the 27th power. At least we have such a good blueprint available, now we just have roll it out to other member states and be ready to not re-invent the wheel.

There is also a lot more to say about the subject, so this post is by no means comprehensive. It’s just a start!

More on internet sales of medical devices

With the Ker-Optika judgment that I wrote about before in relation to internet sales of medical devices and online sale of eHealth services the European Court (ECJ) set boundaries for national legislation in the EU regulating the internet sales of medical devices. To sum it up, the fact that an expert consult is necessary initially does not justify a prohibition on internet sales of a medical device.

It is a common principle in EU internal market law that what member states are not allowed to prohibit via national law companies are not allowed to prevent by means of agreements. It is therefore no great surprise that the ECJ, when faced with the question if internet sales for prestigeous cosmetic products could be prohibited in a selective distribution agreement on grounds of ‘cosmetovigilance’, ruled in the recent Pierre Fabre Dermo-Cosmétique case that it

“has not accepted arguments relating to the need to provide individual advice to the customer and to ensure his protection against the incorrect use of products, in the context of non-prescription medicines and contact lenses, to justify a ban on internet sales” (point 44)

The ECJ referred explicitly to the Ker-Optika case in this respect as well as to the DocMorris case in which it also dissociated the internet delivery of a regulated product (medicinal product) and the need to protect consumers against incorrect use of the product. Consequently, the ECJ held that

“in the context of a selective distribution system, a contractual clause requiring sales of cosmetics and personal care products to be made in a physical space where a qualified pharmacist must be present, resulting in a ban on the use of the internet for those sales, amounts to a restriction by object within the meaning of that provision where, following an individual and specific examination of the content and objective of that contractual clause and the legal and economic context of which it forms a part, it is apparent that, having regard to the properties of the products at issue, that clause is not objectively justified.” (point 47)

The manufacturer of the cosmetic products had further submitted that the prohibition was allowed because it was equivalent  to a prohibition on operating out of an unauthorised establishment, which was exempted under Regulation 2790/1999, the old vertical restraints block exemption. That argument did not convince the ECJ either because it held that

“prohibiting de facto the internet as a method of marketing cannot be regarded as a clause prohibiting members of the selective distribution system concerned from operating out of an unauthorised place of establishment within the meaning of Article 4(c) of Regulation No 2790/1999″ (point 55)

This will play out in the same way under the new vertical restraints block exemption, Regulation 330/2010, which has exact hardcore restriction that removes an agreement from the safe harbour in articel 4 (c). That does not mean that a manufacturer has no instruments at all to protect consumers even if it cannot prevent internet sales as such, since the Commission has stated in its FAQ about the new block exemption:

“However, certain vertical restraints on online sales can be justified because they eventually benefit consumers. For instance a supplier may impose a requirement, as for off-line sales, that, in a selective distribution system, a distributor must not sell online through a website that does not meet the agreed quality standards, or to unauthorised distributors.”

In the end however the judgment of the ECJ does not mean that internet sales cannot be prohibited in a selective distribution system under any circumstances. The manufacturer needs an objective justification derived from the properties of the product at issue. So, while it may not be objectively justifiable to prohibit internet sales for low-risk over-the-counter medical devices, it may well be that higher risk devices sales  on the internet can be prohibited as I have written in my post about the Ker-Optika case, when discussing ‘burden of justification’ in detail.

%d bloggers like this: