From wearables sensors to collect physiological data to DNA’s sequences analysis with AI-based mechanism to online health counseling: numerous digital health solutions are currently being tested, implemented and improved. These technologies are rapidly changing the way health problems are identified, monitored and treated. Start-ups, hospitals, pharmaceutical companies are driving this innovation, but Switzerland is still lacking a common jurisdiction.
Stefan Kohler*, partner at VISCHER, has extensive experience in IP/technology law and regulated markets such as healthcare, pharma, medtech, biotech, cosmetics and foodstuffs. He regularly represents Swiss and foreign companies before Swiss courts and administrative authorities. That’s why Legalcommunity.ch had the pleasure to talk with him to understand the Swiss state of the art concerning this topic…
First of all, is there a difference between terms «digital health» and «e-health»?
The terms «digital health» and «e-health» are not defined legal terms in Switzerland. In general, these terms cover services and equipment that use information and communication technologies (ICT) in health care to improve health care and public health. In agreement with this, the Swiss government uses these terms in the context of the integrated use of ICT to design, support and network all processes and participants in the healthcare system.
As there is no uniform legislation in Switzerland, what does the legislative landscape look like?
Depending on the sector concerned by an e-health solution or device, the relevant laws and legal provisions can be found in various cross-sectional and sector-specific federal decrees. Ordinances issued by the Federal Government based on these federal decrees are to be taken into account too. Cantons sometimes set different standards in the field of digital health, which can make it difficult to introduce digital health applications uniformly throughout Switzerland.
What are the main legal issues in digital health you would point out?
Data security and data protection are regularly the main issue with digital health solutions. According to Swiss law, personal health data are considered «particularly sensitive» and, therefore, require strict protection. Providers of digital health solutions such as wearables, health apps or the electronic patient records (EPR) must comply with the applicable data protection regulations, in particular the Federal Data Protection Act and – in the European context – the General Data Protection Ordinance (GDPR).
And apart from data security and data protection?
Besides the data protection obligations, various other regulations are to be considered. In particular, regulations concerning health protection and professional duties of medical professionals must be taken into account. In the field of telemedicine and other digital service areas, the billing and remuneration models are still largely unclear. The currently applicable tariff system covers digital services only incompletely. Incentives for digital health solutions are missing. Finally, manufacturers and operators of digital solutions have to contractually regulate the legal aspects related to the development and operation, including issues of intellectual property, allocation of responsibilities and the distribution of costs and profits.
Can AI-services and software be qualified as medical devices?
Depending on its characteristics, AI-as-a-service may qualify as a medical device. If so, the compliance of the service with the legal requirements needs to be assessed by a Conformity Assessment Body (CAB). Given the large amounts of data from a variety of sources used in AI systems, AI systems are prone to errors. The establishment and maintenance of a continuous and effective quality assurance concept is indispensable. The liability issues associated with AI in healthcare need to be carefully contractually allocated between the parties involved (e.g. manufacturer, operator, health insurance company, health care professionals).
To this purpose, what regulations apply in Switzerland?
AI systems require large amounts of data from sources such as electronic health records, pharmacy records, insurance claims records, or patient-generated information. The operators of AI systems must ensure compliance with data protection legislation (including that on cybersecurity). Furthermore, in Switzerland, AI- services and software that qualify as medical devices are dealt with by the Therapeutic Products Act and the Medical Device Ordinance based thereon. Compliance of such device with the medical device regulations needs to be assessed by a Conformity Assessment Body (CAB).
What are the principal regulatory authorities in Switzerland?
The Swiss Agency for Therapeutic Products (Swissmedic) is responsible for the enforcement of the Swiss legislation on therapeutic products (i.e. medicinal products and medical devices). Swissmedic’s remit mainly involves the granting of marketing authorisations and operating licences and the market surveillance. The Federal Office of Public Health (FOPH) is generally responsible for the health of the Swiss population, develops Swiss health policy and is committed to a health system that is efficient and affordable in the long term. Cantonal Authorities are responsible for the surveillance and enforcement of the Swiss legislation on therapeutic products in specific areas (e.g. carrying out inspections and quality controls). To implement the eHealth Switzerland strategy, the Federal Department of Home Affairs (FDHA) and the Conference of Cantonal Health Directors (CDC) jointly run the eHealth Suisse competence and coordination centre. Its aim is to define common organisational, legal and technical guidelines for the development of eHealth applications, in particular the EPR.
Going back to the use and share of personal data. What key issues should be taken into account?
Swiss data protection law is technology-neutral. The processing of data relating to specific or identifiable persons is subject to the Data Protection Act and under certain circumstances to the GDPR. In contrast to European law, Swiss law does not prohibit data processing as long as the processing is carried out lawfully and in accordance with the data processing principles, such as transparency, purpose limitation, proportionality, data integrity and data security.
So, the consent is not required…
This is a critical point. It is not yet totally clarified under Swiss law, to what extent the informed consent needs to explicitly cover further processing of health data, e.g. for research purposes. The predominant doctrine assumes, however, that a further processing of health data should be permitted to the extent such processing is within the scope of and not obviously conflicting with the given consent and does not infringe any personality rights. Furthermore, the principles of proportionality, data integrity and security need to be adhered to also in view of further processing.
And as for anonymised data?
Data that is truly anonymised does not fall under data protection laws. As a result, it can be freely used for any purpose, including medical research. However, when large amounts of data are analysed, anonymisation reaches its limits. The comparison of anonymised data with other data entails the risk of re-identification of the previously anonymised data. Health data in particular is highly individualised, which makes effective anonymisation difficult.
Are there any specific projects VISCHER is working on in this field?
We’re advising various developers and operators of e-health solutions. The projects include (among others): telehealth platforms, which should allow online consultation of patients by doctors; physiotherapy equipment that digitally records and individually evaluates movement and performance data of patients. We’re dealing also with wearables that collect real-time data on health-relevant parameters and allow analysis of the current and predicted health status of users and mobile apps that measure the user’s health-related activities in real time and provide the user with instructions or make recommendations on specific behaviour. Finally, we’re working with an AI-based service which allows binary predictions of the outcome of clinical trials based on a repertoire of disease aetiology models.