ANALYSIS OF LEGAL AND REGULATORY FRAMEWORKS IN DIGITAL HEALTH: A COMPARISON OF GUIDELINES AND APPROACHES IN THE EUROPEAN UNION AND UNITED STATES

Digital technology in healthcare presents many opportunities for the improvement of healthcare systems around the world. It is one of the most significant tools that will enhance the move towards value-based treatment. However, this move needs to be accompanied by strong legal and regulatory frameworks that will not only facilitate but encourage the good use of digital technology. Despite various frameworks, there still appear to be barriers to the quick adoption of technologies. Research on the digitalisation of healthcare in Germany conducted by interviews with experts on barriers and solutions for digital health, portends that the degree of digitalisation in German healthcare is low when compared internationally and with other German industries. It is of utmost importance that the technology sector forms and expands partnerships with regulatory authorities, so that future medical devices follow a regulatory framework that fosters rapid access to innovative technologies. Though medical devices are bound to the rules of the Medical Device Regulation (MDR), mHealth applications seldom undergo the critical evaluation of the MDR as compared to conventional medical devices. The difficulties encountered by users who wish to identify an mHealth application that matches their ideas include inadequate or incomprehensible mobile app store descriptions (in terms of content and language) that do not provide particulars of the functionalities, content offered and information concerning limitations, data protection, or even the manufacturers themselves. This research was conducted to analyse the legal and regulatory aspects of the digital health field and competences Abstract The advent of digital technology in healthcare presents opportunities for the improvement of healthcare systems around the world and the move towards value-based treatment. However, this move must be accompanied by strong legal and regulatory frameworks that will not only facilitate but encourage the good use of technology. The goal of the study was to assess the amenability and furtherance of regulatory frameworks in digital health by evaluating and comparing the processes, effectiveness and outcomes of these frameworks in the European Union and United States. Methods: This study incorporated two research methodologies. The first was a research of current legal and regulatory frameworks in digital health in the European Union and United States. A comprehensive online search for publications was carried out which included laws, regulations, policies, green papers, guidelines and recommendations. This research was complemented with interviews of five purposively sampled key informants in the legal and regulatory landscape. Results: Mind-maps revealed key features and challenges of the digital health field in the topics of the current state of regulation of digital health in the EU, Germany and US, regulatory pathways for digital health devices, protection and privacy of health data, mobile health validation, risk-based classification of medical devices, regulation of clinical decision support systems, telemedicine, artificial intelligence and emerging technologies, reimbursement for digital health services and liability for digital health products. The experts expressed and explained key points where current regulation is deficient. The review of the legal frameworks revealed deficiencies which provide opportunities and recommendations to further develop and strengthen the regulatory landscape. Conclusions: A key element to a robust regulatory framework is the ability to ensure trust and confidence in using digital health technology. Technology must measure the impact on quality of life and burden of disease and not merely involve the collection of data.


Introduction
Digital technology in healthcare presents many opportunities for the improvement of healthcare systems around the world. It is one of the most significant tools that will enhance the move towards value-based treatment. However, this move needs to be accompanied by strong legal and regulatory frameworks that will not only facilitate but encourage the good use of digital technology. Despite various frameworks, there still appear to be barriers to the quick adoption of technologies. Research on the digitalisation of healthcare in Germany conducted by interviews with experts on barriers and solutions for digital health, portends that the degree of digitalisation in German healthcare is low when compared internationally and with other German industries. 1 It is of utmost importance that the technology sector forms and expands partnerships with regulatory authorities, so that future medical devices follow a regulatory framework that fosters rapid access to innovative technologies. Though medical devices are bound to the rules of the Medical Device Regulation (MDR), mHealth applications seldom undergo the critical evaluation of the MDR as compared to conventional medical devices. 2 The difficulties encountered by users who wish to identify an mHealth application that matches their ideas include inadequate or incomprehensible mobile app store descriptions (in terms of content and language) that do not provide particulars of the functionalities, content offered and information concerning limitations, data protection, or even the manufacturers themselves. 3 This research was conducted to analyse the legal and regulatory aspects of the digital health field and competences of regulatory bodies primarily in Germany and the United States. The goal of the study was to assess the amenability and furtherance of regulatory frameworks in digital health by evaluating and comparing legal requirements that are currently in use in the European Union (EU) and United States (US), with respect to the processes, effectiveness and outcomes of the adoption of the current regulatory guidelines.

Methods
This study involved: review of the literature related to legal and regulatory frameworks in digital health, primarily focusing on the European Union and the United States, and interviews with key informants on the legal and regulatory landscape in digital health were undertaken.
A comprehensive online search for publications on legal and regulatory frameworks in digital health was conducted. This included a search of laws, regulations, position statements, policies, green papers, guidelines and recommendations produced by governmental, professional organisations and other relevant bodies for use in the EU and the US. The search was supplemented with journal articles, reports, editorials, working papers, commentaries, reviews and relevant grey literature related to regulatory frameworks of digital health. A list of terms and keywords (related to regulation in digital health) with all possible synonyms and abbreviations for each keyword was developed. A search was then applied using the keywords and Boolean terms in order to retrieve relevant articles published between 1 January 2014 and 31 October 2019. Searches were carried out in each of ten topics as shown in Table 1. An example of the search strategy used was ("Digital Health" OR "eHealth" OR "mHealth" OR "pHealth") AND ("Regulation" OR "Regulatory frameworks" OR "Laws" OR "Legal" OR "Legislation" AND "European Union" OR "Germany" OR "United States"). The databases searched were: European Commission (ec.europa.eu), Bundesgesundheitsministerium für Gesundheit (bundesgesundheitsministerium.de), Food and Drug Administration (fda.org), Google Scholar and web sites of companies providing 'proxy' or 'surrogate' regulations, web portals of professional organisations, institutions, councils and committees concerned with governance.
The retrieved documents were reviewed and evaluated according to the following inclusion criteria: they represented the most recent normative documents from national organisations, regulatory committees, professional associations and journal publications which described guidelines, recommendations or policies on the legal and regulatory frameworks applicable to digital health enforced in the EU and US. Documents whose scope did not serve the purpose within the area of regulatory development in digital health, abstracts where full texts were unavailable, and publications in languages other than English and German were excluded. On selection of the documents, the literature was analysed to find strengths and weaknesses in the amenability of the regulation for digital health. The reviewed documents were analysed by pointing out their strengths and weaknesses in the context of the amenability of frameworks Interviews were conducted with five key informants, purposively selected based on their knowledge and experience with EU and US law related to digital health. A questionnaire was prepared to reflect the ten key areas of the search strategy (Table 1). The interviewees were briefed about the objectives of the research and interviews were carried out in person or by web conference. After obtaining consent, the interview was recorded, transcribed and handwritten notes made during the interview. The content of the interview text was critically analysed, and recurring themes were noted. A map of keywords and phrases of the thematic content was combined for all five interviews and each of the questions. These were drawn to visually organise the information and show hierarchical relationships among parts of the whole, simulating a 'mind' map. The mind-maps from the interviews formed the basis for the extraction of opinions, ideas, impressions and experiences of the key informants. The main topics, primary opinions and secondary opinions were colour coded as blue, yellow and green respectively ( Figure 1). Mind-maps as an aide to analysis were used to organise text fragments from data retrieved from interviews because they afford a great level of flexibility when thematically analysing qualitative data and they are particularly useful for the iterative process of qualitative analysis. 4 This study was undertaken with the approval of the Ethics Committee of the Deggendorf Institute of Technology.

Results
A list of the documents retrieved were as follows: documents for regulation of digital health including software as a medical device in the EU (Table 2), legal framework for regulation of digital health in Germany (Table 3), documents for regulation of digital health including software as a medical device in US (Table 4) and documents for the general regulation of digital health and software as a medical device ( Table 5). Each of the selected documents (EU, Germany, US) was analysed in terms of strengths and weaknesses related to amenability of the regulatory landscape for digital health (Table 6). Using mind-maps of the interview data and a review of current legislation, the inadequacy of regulation of digital health in the EU and in particularly, in Germany, was noted. The frameworks are far from what they should be and are currently in development. Apart a number of policies from the European Commission (e.g. 'Aging well with ICT', 'Silver economy'), current regulation does not accurately address the regulatory needs of the digital health field. The frameworks related to medical devices alone are adequate, but introduce stringent requirements. Frameworks applied to medical devices as compared to those applied to other forms of digital health have different requirements. In Germany, a 'Telematikinfrastruktur' is in place, which is the basis for the regulation of the digital health field. It addresses regulatory needs like regulation of medical devices, telemedicine, regulation of professionals and the Electronic Health Record (elektronische Gesundheitskarte) system. A recent development in Germany is the Digital Supply Act (Digitales-Versorgungs-Gesetz -DVG). This act allows "apps on prescription" and is supported by a fast track assessment by the German Federal Institute for Drugs and Medical Devices.
In evaluating the regulatory field in the United States, especially with regard to the pilot Digital Health Software Precertification Program, it was noted that the Food and Drugs Administration (FDA) has more degrees of freedom to react quickly and effectively in introducing necessary changes in regulation. However, this approach was found to have a major deficiency in that the experts questioned the basis of selection of companies for pre-certification. Secondly, they noted that there is no pre-market and only a post-market surveillance system. On the other hand, the process in the European Union requires prior testing of devices, followed by certification and placement on the market.
Concerning the protection and privacy of data, it was noted that the General Data Protection Regulation (GDPR) is necessary in the current scenario of digitalisation of the healthcare structure. The regulation gives clear definitions to the ownership of data and rights as a private person. The privacy and protection of data by companies is scrutinised more than before, making it possible to uncover previously undetected irregularities. The regulation is especially good for research and secondary use as the source and owner of the data can be traced. On stating that data is for research purposes, anonymisation can be done where the GDPR will not be an obstacle. One expert contended that secondary use should not be of a statistical nature as this is merely an assumption of one's health condition and it is important to get enriched data from the data source. A drawback of the GDPR is that despite its implementation there are cases of misuse as well as difficulties in implementation.
A mind-map on the regulation of mHealth (Figure 1), showed various aspects required for regulation. The experts stated the need for agencies to provide guidelines on "sensible medical applications," i.e. applications that provide a benefit to the user. The difficulties in regulating mHealth applications stem from the fact that there is no organisation to test or rate all mHealth applications available today.
Secondly, it is difficult to differentiate applications for medical purpose from those meant for entertainment. It is also difficult to control the release of applications, since the placement of restrictions are not effective. In order to regulate applications on mobile platforms, the following was suggested: a system based on the purposiveness of apps, Table 2. Retrieved documents pertaining to regulation of digital health including software as a medical device in the EU.  16 EC guidance document on the establishment of a framework of safety, quality, reliability and effectiveness criteria for mHealth apps mHealth sub-group Report on national mHealth strategies (2016) 17 EC report on the existing strategies, activities and perspectives on mHealth in EU member states Summary Report on the Public Consultation on the Green Paper on Mobile Health EC Report (2015) 18 EC report of views and actions to the green paper on mobile health related to data protection, legal framework, patient safety, reimbursement, liability and mHealth role in health care system Green Paper on mobile Health ("mHealth") (2014) 19 Green paper on mHealth detailing data protection, security, reimbursement models, liability and the applicable EU legal framework Existing EU legal framework applicable to lifestyle and wellbeing apps EC Staff Working Document (2014) 20 EC guidance document with description of the legal framework applicable to lifestyle and wellbeing apps Council Directive (85/374/EEC) on approximation of laws, regulations and administrative provisions of Member States concerning liability for defective products (1985) 21 Document for strict liability of damage arising from defective products Law for better supply through digitization and innovation   Allows storage, processing of non-personal and anonymised data without unjustified restrictions; Guides processing of datasets with personal and non-personal elements Strengthens data protection of EU citizens; Strong value to consent Provides an exemption for use of data in research EU guidelines on assessment of the reliability of mobile health applications (2016) 16 Highlights nine criteria -credibility, effectiveness, transparency, reliability, accessibility, desirability, safety, stability, security, usability for assessing the reliability of mHealth for mHealth apps that are not considered medical devices Identifies certain gaps in regulation, but does not provide practical recommendations; Does not mention the regulation of mobile platforms mHealth sub-group Report on national mHealth strategies (2016) 17 Information with case examples on certification and endorsement of mHealth applications Framework for certification/endorsement of mHealth apps not discussed nor provided Green Paper and Summary Report of the responses on the Green Paper on Mobile Health (2014-2015) 18,19 Presents wide ranging issues in mHealth, while presenting solutions, recommendations, actions and specific measures -Existing EU legal framework applicable to lifestyle and wellbeing apps EC Staff Working Document (2014) 20 Describes EU legislation applicable to lifestyle and wellbeing apps related to app user's rights and consumer rights Limited to user rights, certification/endorsement of mHealth, categorisation of apps not provided Council Directive (85/374/EEC) concerning liability for defective products 21 Details producer liability, defective products, damage and injury Does not exclusively mention digital health  38,39 Main law governing medical devices; Amendments to exclude decision support software from being defined as medical devices Functions mentioned for decision support systems could also apply to standalone software General Wellness: Policy for Low Risk Devices (2016) 40 Categorisation of Low Risk devices for general wellness Determination of risk not adequate The experts stated the need for agencies to provide guidelines on "sensible medical applications," i.e. applications that provide a benefit to the user. The difficulties in regulating mHealth applications stem from the fact that there is no organisation to test or rate all mHealth applications available today. Secondly, it is difficult to differentiate applications for medical purpose from those meant for entertainment. It is also difficult to control the release of applications, since the placement of restrictions are not effective. In order to regulate applications on mobile platforms, the following was suggested: a system based on the purposiveness of apps, rating of applications provided by users' experience, placement of disclaimers and guidelines to allow people to be aware of the good use of the application and a system reflecting the literacy and frailty of the user.
The informants stated that the use of risk to classify medical devices is most important. Medical devices circulate around the world, and hence they should be exchangeable. A classification system based on similar parameters is required in order to stay on a global level. However, this system is a type of preventive evaluation and is not oriented to the needs of the patient. It only reflects the efficacy of the medical device and not its effectiveness and thus lacks the ability to look at effectiveness on the quality of life. On the possibility of classifying medical devices on factors other than risk, the experts suggested systems based on the score of quality of life on using the application and results from users.
Medical technology moves faster than regulation, and hence legislation is inadvertently delayed. With a myriad of new technologies, it is necessary to apply new approaches, ideas and tools to evaluate and assess their efficacy. There is a need to ascertain the value afforded to a patient by a clinical decision support system taking into account the literacy and frailty of the user. A single, random medical decision support for everyone is inappropriate. The framework for artificial intelligence-based medical devices is covered by the medical device regulation. The experts noted that the current legal framework is insufficient and only in place to progress with the technology, thus restricting the emergence of new technologies. Other challenges include corporate interests and ethical considerations.
There must be a clear distinction between digital health uses and entertainment purposes. One main issue with the regulation of telemedicine is liability and jurisdiction. Since current rules do not provide adequate clarity, there is a need for a core of regulations ('who is responsible', 'which regional law must be followed') stating the liability for each field of telemedicine. Recognition and requirements of services, reimbursement of second opinion, exchange of health data and information between the doctor and the patient were considered as issues for the uptake of telemedicine. Picture and broadcasting laws are different from the Internet and thus broadcasting services can be blocked, affecting the access to telemedicine services. There are barriers with full deployment of services, related to the right of access, sovereignty and political resistances. Liability in digital health was considered to pertain to 'Doctor to Patient' and 'Doctor to Doctor' and the person closest to the patient should be considered liable. Another consideration was that regulations only focus on prerequisites to place devices on the market, and there is no clear regulation on the conditions under which the devices are being used, which can account for liability.

Discussion
The issues and challenges related to the regulation of digital health are manifold and are related to the rapid growth of biomedical technology with new ways of treatment and diagnosis. The key to a robust legal and regulatory framework is the establishment of trust, expectation, fairness and confidence among users. In order to achieve this objective, a proposed framework for the regulation of digital health must include the key elements of compliance with data security, privacy and protection, the adoption of good practices by developers and regulators along with criteria for the certification of software used as medical devices. The application of reimbursement strategies like the provision of coding for digital health services and the adoption of valuebased reimbursement while showing a clear financial advantage for digital health technology is paramount. Finally, clarity on uncertainties in legislation that apply to digital health products and liability in case of jurisdiction for telemedicine services must be included.
As part of the strategy to provide a robust framework for digital health technology, the term 'Meaningful Regulation' of digital health is proposed. In the wake of the digital health boom and the current state of digital health regulation, 'Meaningful Regulation' essentially denotes strong regulation where such regulation is lax enough to support the momentum, but not so liberal so as to jeopardise health and privacy. In essence, the frameworks must neither be risky nor too strict. This is important for countries beginning to develop their legal and regulatory frameworks. As of today, the regulatory frameworks are not as supportive as we require or need them to be. The EU does not appear to be competitive in the digital health landscape. Regulatory authorities must have the right degrees of freedom to advocate for the responsible use of digital technology. Coupled with this aspect, frameworks must be designed that incorporate strategies encouraging entry and use of novel digital technology. Emerging technologies like artificial intelligence and the use of big data must be rightly encouraged while adhering to the basic requirements like privacy and data protection laws and at the same time instilling an element of trust into users.
Digital health proposes a shift from having a close contact with the physician to an almost invisible contact with the physician. Telemedicine and mobile applications present good opportunities to allow users to identify their condition and seek appropriate medical attention. Among the challenges posed by the regulation of digital health, of immediate concern are those that are related to telemedicine and the liability for digital health services. Telemedicine has particular opportunities in situations that lack facilities and out-of-reach areas, and therefore there has to be clarity with regard to jurisdiction and wide access to this service. Other challenges in the regulation of digital health include the identification of the needs and attitudes of the healthcare professionals and the need for the educational system to provide them with the necessary knowledge and skills. From an ethical point of view, there is a possibility that technological innovation brings medical practice close to statistics than humanity. Thus, there is a need for consumer organisations that involve a citizen-patient perspective. …………………………………………………………