In the last decade, healthcare technology has advanced to a significant level. Many fields, such as cardiology, home care, dentistry, etc., have developed their treatment techniques and received new medical devices.
However, the greatest development in the field was in digital health. Many companies started developing software as a medical product or started creating medical devices connected to the Internet, thus creating a digital medical device industry. All of this meant that large amounts of personal data began to be received and processed over the Internet.
Naturally, this put data privacy and safety at the forefront of lawmakers’ attention. For this reason, virtually every state is developing its regulatory systems. Specifically, the USA and the EU have the greatest influence in the field with the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR), respectively.
These laws were not developed specifically for digital healthcare; however, both cover the field with their differences. For this reason, this article will begin by comparing the European and American legal frameworks for digital health. Then, the article will discuss the respective agencies that enforce these regulatory standards – the European Medicines Agency (EMA) and the US Food and Drug Administration (FDA). Lastly, it will cover the regulation of medical devices used for digital health.
The legal framework: GDPR vs. HIPAA
Just as the name of the act suggests, the General Data Protection Regulation (GDPR) regulates any situation where a company or organization is processing the personally identifiable information (PII) of an individual. PII means anything that can help directly or indirectly identify a living person. Processing PII means collecting, organizing, structuring, using, storing, sharing, and erasing data.
The data must be used for a legitimate purpose – for example, keeping information “just in case” is not considered a valid reason. Reasons for keeping the information could be the consent of the user, a contract, a legal obligation, etc., as described in Art. 6 GDPR.
In either case, the individual should be aware of how his data is handled and have a say in how it is processed. Companies must ensure data safety, and they are responsible if they take information from a distributor that is not GDPR-compliant.
The above-mentioned is valid for any PII, including digital health information. Because of these comprehensive obligations, the European legal framework can be classified as a rigorous regulation.
On the other hand, the USA’s alternative is a more specific regulation. Its respective legislation – the Health Insurance Portability and Accountability Act of 1996 (HIPAA), covers only data related to healthcare.
In essence, it is a federal law that mandates the creation of standards for protecting the protected health information (PHI) of patients from being disclosed without their consent or knowledge. The law is similar to GDPR, and describing it will be easier with a comparison between the two acts.
Learn how to navigate the differences between GDPR and HIPAA privacy laws.
Stay ahead of regulations and avoid penalties by using BGO Software’s software specialists to assist you in achieving HIPAA compliance effectively.
Types of data collected
Under US law, PHI means only medical data – meaning the condition of the patient, chronic diseases, etc. are protected. In the EU, PII means any data, direct or indirect, that links to an individual – name, address, telephone number, skin color, etc. However, indirect information can also include online history, preferences, health status, etc.
Consent
Under HIPAA, healthcare providers can disclose PHI without patient consent in some instances. A disclosure with another medical provider is permissible for treatment, payment purposes, and healthcare operations. “Treatment” means providing healthcare in general.
“Payment” is related to billing patients for treatment, obtaining reimbursement, and handling insurance. “Healthcare operations” are any legal, administrative, or quality improvement actions that do not treat the patient itself.
However, under GDPR, such disclosure of information is restricted substantially. Only information related to direct patient care or “treatment”. Anything outside of that scope requires explicit consent. This will include communication and marketing activities between the care provider and data subject – the individual must expressly consent to communications through phone, e-mail, etc.
The right to be forgotten
A feature unique to European legislation is the increased control over personal information records. An individual may request that an organization wipe their personal data off their databases. This includes wiping such data from associates or affiliates. This means that an organization needs to be able to track where PII is stored and have access to the database.
HIPAA permits patients to view their own medical records and other health information. Furthermore, individuals may request corrections, but there is no mechanism for wiping data history.
Disclosure of data breaches
When the PHI of a patient is breached, healthcare providers must notify the Department of Health and Human Services Office for Civil Rights (OCR). If more than 500 individuals are affected by such a breach, the data holder must notify the OCR and all affected individuals within 60 days.
If a smaller number of people are affected, such reporting must be done by the last day of reporting each year – or they must report the incident by the 1st of March. Meaning that if an incident occurs on the 2nd of March and 600 people are affected, the organization must report it by the 2nd of May.
If the same accident affected only 450 individuals, the data holder has a year to report the incident
Yet, when it comes to the EU, GDPR is drastically stricter, as Article 34 of the act sets only a 72-hour disclosure period.
Violations
HIPAA violations vary considerably, depending on each particular case and the severity of the violations.
They are based on whether a healthcare provider could not have known that his actions would result in a violation or whether he was negligent. In the first case, the fines range from 100 to 50,000 dollars. In the second, they range from $10,000 to $50,000, with possible criminal charges and jail time.
Lastly, the penalty can be up to $1,5 million a year for violating an identical provision.
The most notable case is that of Anthem,Inc., – a $115 Million class-action lawsuit for failing to implement security protocols for protecting their electronic protected health information (ePHI). Hackers launched a cyberattack, resulting in 79 million people being affected.
GDPR violations are dealt with in a simpler way. Organizations that violate the law face sanctions up to 4% of their income in the last 12 months or 20 million euros, depending on which is higher.
A notable example of such a breach is in France, where DEDALUS BIOLOGIE, which distributes software for laboratories, was responsible for a leak of the PII of 500 000 individuals, resulting in a 1.5 Million euro fine.
To issue such fines, each state needs competent authorities that monitor compliance with HIPAA and GDPR. For this reason, the FDA and EMA both monitor the healthcare field, from the pharmaceutical industry’s technology and drugs affecting human health to diagnostic and interventional radiology and medical devices worldwide.
Regulatory standards: The role of EMA and FDA in digital health
Beginning with an explanation of the organizations. The European Medicines Agency (EMA) and the US Food and Drug Administration (FDA) both operate under very similar regulatory frameworks and share fewer differences than HIPAA and GDPR.
They are the competent authorities responsible for testing the safety and efficiency of a medical device, protecting and advocating for public health, and giving people health and regulatory information. There are only three main differences between the two agencies:
Structure
The FDA operates and oversees the USA exclusively. Due to this, it is centralized and oversees the drug approval process with its own staff.
The EMA, on the other hand, overviews the same process in many European countries. Due to this, centralization has not yet occurred, which leads to some complications.
The assessment of new drugs and devices is done independently by each country, and the agency brings resources from more than 40 national competent authorities and more than 4500 experts. After the assessment, the EMA sends an opinion to the European Commission, which is either approved or denied.
Tackle the EU and US digital health regulations with ease.
Navigate complexities of finding a custom solution for HIPAA compliance by consulting BGO Software’s specialists who can guide your through the data protection requirements.
Phases of approval
In both agencies, there are three stages – preclinical testing, clinical trials, and a final approval procedure. In the USA, an application is filed with the FDA for drugs that appear safe in the preclinical phase.
In the EU, an application is filed for receiving a marketing authorization license, which is valid in every EU state plus Iceland, Lichtenstein, and Norway. Most but not all products in the EU must follow the centralized authorization procedure, but some products may still be authorized through national decentralized procedures
Differences in testing
The testing process itself is quite similar for the two agencies, with only a slight twist. The FDA investigates new drugs when compared to placebos, while the EU compares the new drugs with old medications. However, this is not always the case, as the EMA does also incorporate placebo and active treatment as controls when possible.
Yet the trend is toward standardization of the approval mechanisms. Specifically, the FDA and the EMA already have the same application form for rare diseases. This common framework allows companies to apply in both jurisdictions at the same time.
That being said, while the data protection aspect of digital health regulation is relatively similar, there are substantial differences on the hardware front.
Medical device regulations in the EU and USA
When speaking about digital health, medical devices are usually not the first thing a person thinks about. However, many medical devices are connected to the Internet.
For example, the Internet of Things (IoT) is a line of devices – sensors, software, and other technologies—created for the purpose of creating and exchanging data with other devices over the Internet.
In this sense, remote heart monitoring devices could be used to track patients from their homes and submit the data gathered to healthcare professionals through the Internet. In that sense, the regulation of medical devices has just as much importance for digital healthcare
Regulation in the European Union
Particularly in Europe, lawmakers have recognized several emerging challenges – the aging population, rising expectations of patients, and the migration of patients and health professionals.
To that end, the focus has been on branches like E-health, M-health, and genomics – all in an attempt to switch their approach from treating underlying conditions to the prevention of illnesses in the first place.
The EU defines medical devices as products or equipment intended for a medical purpose and regulates them under the New Approach (NA) directives. Under the directive, products placed on the EU market and benefiting from the free movement rules are covered by the legislative harmonization standards.
These standards are technical specifications that ensure the safety of the product. The key part is that these standards are not mandatory, and the manufacturer can apply other national standards. However, approved devices under the harmonized standards of the NA receive a presumption of conformity with the required standards in every EU country.
The assessment of the product itself is based on the risk levels and the intended use of the device.
There are four distinct categories in the EU:
- Class I – low risk – for example, enema kits and elastic bandages
- Class IIa – medium risk – catheters, blood transfusion tubes, and hearing aids
- Class IIb – medium/high risk – ventilators, surgical lasers, and infusion pumps
- Class III – high risk – pacemakers and heart valves
These strict regulations are created to ensure that the medical device can accomplish its intended use without compromising the condition or safety of the user. Any risk that is found is weighed against the possible benefit to the patient, ensuring the product is likely to produce more good than harm.
Regulation in the United States of America
The USA market is characterized by the development of the mobile and health IT sectors. Lawmakers are undergoing an effort to coordinate their approach towards the new wireless medical devices, mobile apps, and other digital healthcare devices.
The enforcement process is significantly more centralized, with the FDA, the Federal Communications Commission (FCC), and the Office of the National Coordinator for Health Information Technology (ONC) executing the main regulatory actions.
The FCC mainly handles international communication by telephone, radio, television, internet, etc. It also oversees the authorization of equipment using radio frequencies. Lastly, it examines equipment emitting radio frequency energy that could cause interference with other systems.
The FDA, on the other hand, oversees equipment intended for the treatment, prevention, or diagnosis of diseases.
One example of such authorization is Mobile MIM, a program capable of “allowing doctors to view and assess medical images that have been approved by the FDA”.
Another example is Mobisante, an app that is a “mobile ultrasound imaging system that will cost between $7,000 and $8,000 in full” and displays the ultrasound on a smartphone.
The two agencies are coordinating their efforts and have even signed a memorandum to share information on device marketing authorizations and consult each other on the development of standards for mobile devices and digital health IT.
Lastly, the ONC is charged with the development and implementation of interoperable information technology. Some of its obligations might be to ensure rigorous regulation of certification programs for health IT or to develop standards for the certification of said programs.
In the US, medical devices are defined as “instruments or apparatus (including components) intended for use when diagnosing, treating or preventing diseases or medical conditions, or intended to affect the body through non-chemical means” Some accessories used for marketing purposes or general use and not strictly for healthcare do not fall under the control of the above-mentioned organizations.
However, as in the EU, the intended use of the device is taken into account to determine if it is a medical device.
And similarly to Europe, the devices are classified based on their risk factors and efficiency:
- Class I – low-risk devices
- Class II -moderate-risk devices
- Class III -high-risk devices
Manufacturers are generally expected to classify their own devices before commercializing them. However, most of them are still subject to “general controls”, such as device listing and good manufacturing practice requirements and reporting.
Conclusion for intercontinental businesses
The current regulatory frameworks in Europe and the United States are quite similar when it comes to the protection of personal data in healthcare. While the GDPR and HIPAA were not created specifically for healthcare, they are both perfectly applicable in the field.
When it comes to comparing the two laws, European law is more decentralized due to the nature of the European Union. Despite this, GDPR is quite stricter than HIPAA in many aspects, such as their policy around sharing information without the consent of the individual, the right to be forgotten, or the fines issued for violations of the act.
Yet, the updated regulatory changes from recent years show a trend toward creating equal standards in both laws.
This similarity is not present in their enforcement agencies – the EMA and FDA, however, both still use similar techniques for assessing digital software and medical devices. In fact, both American and European agencies have similar standards for assessing the risk related to each medical product.
For a business, this means that software or a medical device authorized in Europe has a great chance of being ready to begin the approval process in the USA, as the EU standards tend to be stricter. On the flip side, a product may be sent to the European market with relatively few changes.
Of course, there are always exceptions, and when dealing with regulations, even small mistakes can lead to fines. However, working with an IT company focused on medical software could be the key to an easy transition.
Working with such companies means that they will catch small mistakes that are easy to overlook, and instead of paying for experience with fines, a company can pay a smaller fee to a third party to ensure compliance.
Whether you’re a startup, a Fortune 100 company or a government organisation, our team can deliver a solution that works for you.
BGO Software