Journal:A legal framework to support development and assessment of digital health services
|Full article title||A legal framework to support development and assessment of digital health services|
|Journal||JMIR Medical Informatics|
|Author(s)||Garrell, Cecilia; Svedberg, Petra; Nygren, Jens M.|
|Author affiliation(s)||School of Health and Welfare at Halmstad University|
|Primary contact||Email: jens.nygren [at] hh.se; Phone: 46 35167863|
|Volume and issue||4 (2)|
|Distribution license||Creative Commons Attribution 2.0|
- 1 Abstract
- 2 Introduction
- 3 Methods
- 4 Results
- 4.1 Identification of concepts and regulations
- 4.2 Structure of concepts and regulations into a framework
- 4.3 Validation of the framework
- 5 Discussion
- 6 Acknowledgements
- 7 Conflicts of interest
- 8 Multimedia Appendix 1
- 9 References
- 10 Abbreviations
- 11 Notes
Background: Digital health services empower people to track, manage, and improve their own health and quality of life while delivering a more personalized and precise health care, at a lower cost and with higher efficiency and availability. Essential for the use of digital health services is that the treatment of any personal data is compatible with the Patient Data Act, Personal Data Act, and other applicable privacy laws.
Objective: The aim of this study was to develop a framework for legal challenges to support designers in development and assessment of digital health services.
Methods: A purposive sampling, together with snowball recruitment, was used to identify stakeholders and information sources for organizing, extending, and prioritizing the different concepts, actors, and regulations in relation to digital health and health-promoting digital systems. The data were collected through structured interviewing and iteration, and three different cases were used for face validation of the framework.
Results: A framework for assessing the legal challenges in developing digital health services (Legal Challenges in Digital Health [LCDH] Framework) was created and consists of six key questions to be used to evaluate a digital health service according to current legislation.
Conclusions: Structured discussion about legal challenges in relation to health-promoting digital services can be enabled by a constructive framework to investigate, assess, and verify the digital service according to current legislation. The LCDH Framework developed in this study proposes such a framework and can be used in prospective evaluation of the relationship of a potential health-promoting digital service with the existing laws and regulations
Keywords: digital health; legal aspects; technological innovations
Through the use of wireless devices, sensor technologies, the Internet, social networks, health information technology (IT), and personal health data, digital health services empower people to track, manage, and improve their own health and quality of life. At the same time, these services provide a more personalized and precise health care delivery, at a lower cost and with higher efficiency and availability. An emerging area at the intersection of informatics, health care, and business is electronic health (eHealth), which encompasses the mediation and interaction between health care and the individual via information and communication technology (ICT). Although the extent of implementation and application of eHealth systems vary, the overall goal is the same: using ICT to provide better care more efficiently at a lower cost. Mobile health (mHealth), as a component of eHealth, involves the use and capitalization on mobile devices and encompasses any use of mobile technology to address health care challenges such as access, quality, affordability, matching of resources, and behavioral norms. The use of mHealth offers great opportunities by allowing asynchronous and remote care to an extensive number of potential users. Applications for mHealth serve a variety of functions: providing easy access to medical information about the symptoms and treatment of various diseases or allowing patients to track clinical measurements that can be sent to the care provider. These applications could change the nature of health care by using technology to increase patient engagement, improve care quality, transform care processes, reduce health care costs, and minimize human error.
Essential for the use of all digital health services is that the treatment of any personal data is compatible with the Patient Data Act, Personal Data Act, and other applicable privacy laws. The European Commission has declared its intention to drive greater legal certainty in the digital health domain, and through the Directive 2011/24/European Union (EU), for the first time, it has placed eHealth in a legal context, requiring member states to cooperate with interoperability standards to allow full use of eHealth services across EU borders. Although some significant steps have been taken toward attaining this goal, the questions of liability for eHealth goods and services are still not fully addressed on EU level legislation. The lack of a fully worked out EU level framework illustrates the difficulties in pinpointing key concepts in relation to this rapidly evolving market. In response to this, the eHealth Authority was formed in Sweden in 2014 with responsibility for registries and the heterogeneity and variety of IT functions developed within Swedish health care.
While the authorities investigate and consider the technological capabilities of eHealth services in the intersection of health care quality, patient safety, ethics and legal matters, new IT services, and mobile applications are advancing dramatically. The focus for the regulatory authorities should be to streamline the regulatory processes and promote innovation, but because regulation and legislation are still behind, governmental authorities are forced to handle many issues in this domain case by case. This implicates that designers of digital health services need to acquire knowledge about relevant regulation and legislation and how to relate to and act on such regulation. A legal framework that could guide designers through these legal challenges, together with an understanding of the definitions of the concepts, would both simplify and speed up development of digital health solutions and promote involvement of designers with experience from digital service design in the development of new digital health services. The aim of this study was to develop such a framework to support designers in development and assessment of digital health services.
The study design was based on a stakeholder analysis approach for generating knowledge about actors to understand their intentions, interrelations, and interests and for assessing their influence on legal challenges in development of digital health services. Data obtained from interviews with relevant authorities and organizations together with information about concepts and regulations in relation to digital health services were analyzed and structured to create a framework for legal challenges.
Case and framing
A framing of the questions about legal challenges and key concepts relevant to development of digital health services was discussed in the project group and with a consulting firm (Carmona AB) with expertise in the field of Web-based services and information solutions for handling of patient data and quality control. The consulting firm is in the forefront of developing such services in accordance with current legislation and in development of new practices and legislation. In this communication, we used data from our development of a digital service for play and interaction between children, aged 8-12 years, who have survived from childhood cancer treatment to frame legal challenges and key concepts. The case was described by a concept description and use experience descriptions through Persona characters and use scenarios.
On the basis of this, a basic understanding of the domain was formed, and a major law firm, with experience of legal issues in health care and a jurisconsult responsible for privacy and patient safety issues at the county council, was consulted with the intention to extend knowledge and our preunderstanding of the legal challenges and key concepts in this domain. A first draft was conceived, of a legal framework with relevant concepts, laws, and agencies or organizations involved in the care of the target group, or with regulatory or supervisory responsibility.
A purposive sampling was used to identify stakeholders and information sources for organizing, extending, and prioritizing the different components of the framework guided by the case. The first contacted stakeholders referred to other stakeholders, that is, a snowball recruitment. The information sources identified and used are listed in Table 1.
Identified websites of organizations, authorities and different operators or actors, and functions were screened for information about concepts and regulations in relation to digital health services. Stakeholders were interviewed about their relationship to eHealth and digital health services (Table 1). Interviewees were representatives from the County Council Board on Coordination of Information Safety, The National Board, The Data Inspection Authority, eHealth Authority, and Inspection Authority for Health Care. Interviews were performed, with one person from each of the aforementioned organizations, over phone (approximately 30 minutes) and repeated if new questions appeared. The topics in the semi-structured interview guide were as follows: (1) Relationship to digital health services; (2) the authority’s function, assignment, and work for digital health services; (3) regulations that govern the work; and finally (4) other relevant information sources we should approach. In cases where we wanted to get the data confirmed in writing, follow-up questions were sent by email to the respective informant.
The meaning out of the data was made in a systematical way to discover the relevant concepts and relationships among the input. All data inputs, such as questions, concept descriptions, laws and regulations, and functions, were put on post-it notes by the main author and structured on different levels and in relation to each other, and an affinity diagram was formed and discussed between all authors. The insights gained were used as a starting point for a framework for assessing the legal challenges in developing health-promoting digital services. The framework was iteratively verified against the project group and stakeholders (the Data Inspection Authority and eHealth Authority) and finally validated against three cases of digital health services.
Identification of concepts and regulations
The identified concepts to consider in this domain are: medical device, eHealth, medical responsibility, care damage, personal data, and consent. The concepts, their definitions, and relevant regulations identified during data collection and the subsequent analysis are listed in Table 2. Concepts and regulations that were identified during data collection but were not found to be relevant for framing of legal challenges from the perspective of development of digital health services are not included in this compilation, such as: health care quality registries, the law on drug lists, and the regulations of The National Board of Health and Welfare.
Structure of concepts and regulations into a framework
On the basis of the identified concepts, regulations, and stakeholders, we designed a framework for assessing the legal challenges in developing digital health services (Legal Challenges in Digital Health [LCDH] Framework) consisting of 6 key questions to be used in prospective evaluation of the relationship of a digital health service to existing laws and regulations (Table 2). The questions are sequentially arranged so that affirmative responses gradually delineate which parts of the law apply to a certain digital health service. Negative responses to the same questions show which laws and regulations that each service is exempt from.
Validation of the framework
The accuracy and quality of the LCDH Framework were assessed by the Swedish Data Inspection Authority and eHealth Authority and, finally, by the consulting firm, the law firm, and the jurisconsult involved in the framing of the data collection. The reviewed and iteratively revised framework was confirmed to be in accordance with current regulation, law and practice, and experience of these stakeholders. Because the stakeholders, during data collection, did not identify additional stakeholders or sources of information than those already included in our dataset (which means that saturation was achieved), the quality assessment of our framework indicated that it was valid and in line with current law and practice.
To assess the usability, and hence the face validity, for using the framework for development and assessment of products and services, we applied the framework for evaluation of the legal challenges in three cases entailing development of digital health services. The questions in the framework (Table 2) were used to systematically evaluate and frame the legal challenges for the development and implementation of the digital services, Give Me a Break, Sisom and DELTA (see Multimedia Appendix 1 at the end).
Is the product a medical device?
A medical device is a product with a medical purpose; as to prove, prevent, monitor, treat or mitigate a disease, and to prove, monitor, treat, mitigate, or compensate an injury or disabilities (Table 2). The three digital services Give Me a Break, Sisom, and DELTA, were developed to facilitate child peer support, communication between children and their care providers, and adolescent’s participation in schools related to their health, respectively. None of the services has medical functions such as handling, treating, or preventing disease or illness and should therefore, according to the definitions outlined in Table 2, not be considered as medical devices.
Is the product an eHealth service?
An eHealth service mediates health information, service or interaction between the health care provider and the individual (Table 2). The system owner and system administrator of each of the three services, as well as the support and maintenance from the operation manager who is responsible for all data, will be independent from health care providers and schools. In one case though, Sisom, the services by the health care providers will be mediated through the digital service and information about the users' personal data will be shared with the health care providers. This service should therefore be considered as an eHealth service. The other two services, Give Me a Break and DELTA, do not mediate any communication of personal data or sensitive interaction at all between health care providers and users and should therefore not be considered as tools or services that use ICT to improve the preventive work, diagnoses, health-care monitoring, or administration and hence therefore not be defined as eHealth services.
Is the service recommended/supplied by the health care provider?
Two of the services, Sisom and DELTA, are recommended and supplied by the health care providers who therefore have medical responsibility for the usage of the services and any potential consequences of usage. This responsibility is independent of whether the services are to be considered as eHealth services. The other service, Give Me a Break, is neither part of regular treatment nor used to improve health care according to the definition of an eHealth service. It is neither recommended nor supplied by the health care provider, and there is therefore no medical responsibility for the activities or the consequences of the interaction on the service that can be imposed on the health care providers.
Is there any risk of care damage?
According to the definition in Table 2, care damage is damage that could have been avoided if adequate measures were taken by the health care provider. The two services recommended and supplied by the health care provider, Sisom and DELTA, are not associated with medical treatment but involve sharing of potentially sensitive personal information. Although the risk of care damage is limited to sharing of personal information, this entails privacy risks for which the health care provider is responsible. To prevent this, there is no follow-up or surveillance system in the services that automatically transfers personal information or use data to the health care provider. To protect the users, the services have well-ordered procedures for registration and login. All information transfers are performed by web encryption technology, and professionally trained personnel monitor all real-time activities and use logs. Moreover, in DELTA, abuse or misconduct can be reported by the users to be handled by the involved school personnel. Both systems thus have significant infrastructure for monitoring safety and security of the users without interfering with their integrity. For the other service, Give Me a Break, the health care provider will not have any medical responsibility, as it neither has a medical purpose nor is seen as health care or treatment. Consequently, although problems can arise, there can be no care damage per se.
Is personal data/personal information handled?
Personal data are handled in all three services and in some cases, such information is of sensitive nature as it relates to health care and is coupled to the users' identity through a personal code number, name, or photo. In Sisom, the health care provider handles sensitive personal data coupled to health care and the users' identity. In Give Me a break and DELTA, the personal data are however not of sensitive nature (not coupled to sensitive information about the users) but deal with their identities and therefore still must be handled with care. In all three services, the users provide all data added into and shared in the system, and the users are the sole owners of the information that they share. In Give Me a Break, the personal and shared user profile is stored but can be deleted by the users themselves if they decide to no longer make it available to others on the service. The provider of each of the three services has complete responsibility for all personal data stored or shared. This includes a responsibility to inform users about the purpose and use of the service; not publish or share sensitive personal data and, if applicable, regularly monitor posts to discover offensive personal data; and promptly remove any offensive personal data.
Does the service lack user agreement?
The aim of this study was to develop a framework for legal challenges to support designers in development and assessment of digital health services. The LCDH Framework presented herein was created based on concepts and regulations identified through interviews with authority representatives, and a process of stakeholder review and iterative revision of the developed framework confirmed that it was in accordance with current regulation, legislation, and practice. Usability evaluation against real cases of digital health services revealed how the definitions in the framework feasibly guided identification of distinctive and appropriate regulation to be considered and legal challenges to relate to given the nature of each of the evaluated services.
The work of government regulation and legislation of digital health services have not so far kept pace with the digital development. Digital health services in various forms are under rapid development and are involving several stakeholders and actors. Game and app developers, for instance, with innovative ideas for digital health may experience obstacles in implementation of digital health services in the interface between health care providers and individuals. One problem can in many cases be the indistinct legislation.
This slow and perhaps circumspect legislation under construction may cause difficulties to developers of digital health services to acquire knowledge about relevant regulation and how to relate to and act on the regulation. Implications of this can be: (1) inaccuracies due to misinterpretations and (2) omitted development of digital health services owing to complexity in understanding the regulations. It would be desirable in the future that this type of regulation and legislation would be prepared in cooperation between the authorities, the developers, and the health care experts. However, until then, there is a need for a dynamic tool, a framework, guiding designers and developers through the legal challenges in development work in the digital health domain, together with an understanding of the definitions of the concepts. This is important both to simplify and speed up development of digital health solutions and to promote involvement of developers experienced in digital service design. There is a need for approaching and proceeding with legal challenges adjacent health care in the design development to facilitate the forthcoming implementation.
The LCDH Framework presented in this article has the qualifications to be a useful tool in guiding designers and developers through the legal challenges in development work in the digital health domain. The framework: (1) considers the current regulation and legislation that apply in the EU; (2) presents the definitions of relevant legal concepts; (3) is verified by the Swedish Data Inspection Authority and eHealth Authority; and finally, (4) is easy to use. The framework merely aims to guide development by identifying legal dividing lines between different digital health services in their product design. It has no legal power to determine guidelines, and a jurisconsult may need to confirm the legal application in case of uncertainties. Although the concepts used in the framework are based on legislation in the EU, it can be used in other contexts to understand the legal challenges and the hierarchy of the various concepts governing legislation within the digital health domain.
Strengths and limitations
As with all methods and studies used in research, certain limitations apply. The interviews were performed with one person from each organization or authority over the phone. Performing the interviews over phone was convenient and time-saving, and if the informants had text material to share, it was sent by email. Important information sources and stakeholders can be identified by using snowball recruitment; however, there is a risk that important informants are missed by this approach. In our study, it is likely that we through this approach identified relevant informants as both the Swedish Data Inspection Authority and the eHealth Authority verified our report. The mapping was performed during the spring and summer of 2014 in accordance with the regulations prevailing in Sweden. The definition of eHealth is however taken from the European Commission’s declaration of eHealth.
Consideration toward ethical aspects is a requirement for both performing and publishing research in relation to health and human subjects. However, as long as such ethical aspects are taken into account, no requirements are placed on that, and research should also be aligned with legal challenges that are relevant to the context of the research.
Structured discussion about legal challenges in relation to health-promoting digital services can be enabled by a constructive framework to investigate, assess, and verify the digital service according to current legislation. The LCDH Framework developed in this study proposes such a framework and can be used in prospective evaluation of the relationship of a potential health-promoting digital service to the existing laws and regulations. However, legislation regarding eHealth in general and health-promoting digital services in particular is under construction, and authorities’ judgments are made from case to case. Further research is critical to expanding the knowledge base of cases, or products, using health-promoting digital service implemented and where current legislation is applied.
he authors want to thank Gunnar Severinson for valuable guidance during project initiation and data analysis and Pontus Wärnestål for advice in the initial stages of data collection. The study was supported by grants from the Swedish Research Council, the Knowledge foundation, and the Regional Swedish Innovation Office West.
Conflicts of interest
Multimedia Appendix 1
Usability validation of The Legal Challenges in Digital Health (LCDH) Framework for exploring the relationship to valid regulations of three health-promoting digital services: PDF file, 30KB
- Topol, E.J. (2012). The Creative Destruction of Medicine: How the Digital Revolution Will Create Better Health Care. New York: Basic Books. pp. 320. ISBN 9780465025503.
- Eysenbach, G. (2001). "What is e-health?". Journal of Medical Internet Research 3 (2): e20. doi:10.2196/jmir.3.2.e20. PMC PMC1761894. PMID 11720962. http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pmcentrez&artid=PMC1761894.
- "eHealth". European Commission. http://ec.europa.eu/health/ehealth/policy/index_en.htm. Retrieved 27 April 2016.
- Editor Connect (06 June 2012). "High tech for health". European Commission. https://ec.europa.eu/digital-single-market/en/news/high-tech-health. Retrieved 27 April 2016.
- WHO Global Observatory for eHealth (2011). "mHealth: New horizons for health through mobile technologies: Second global survey on eHealth". World Health Organization. pp. 102. http://apps.who.int/iris/handle/10665/44607.
- Schulke, D.F. (2013). "The regulatory arms race: Mobile health applications and agency posturing". Boston University Law Review 93: 1699–1752.
- Kramer, G.M.; Kinn, J.T.; Mishkind, M.C. (2015). "Legal, Regulatory, and Risk Management Issues in the Use of Technology to Deliver Mental Health Care". Cognitive and Behavioral Practice 22 (3): 258–268. doi:10.1016/j.cbpra.2014.04.008.
- Ferguson, B. (2012). "The Emergence of Games for Health". Games for Health Journal 1 (1): 1–2. doi:10.1089/g4h.2012.1010. PMID 26196423.
- Fellay, S. (04 August 2014). "Changing the rules of health care: Mobile health and challenges for regulation". American Enterprise Institute.
- Andoulsi, I.; Wilson, P. (2013). "Understanding liability in eHealth: Towards greater clarity at European Union level". In George, C.; Whitehouse, D.; Duquenoy, P.. eHealth: Legal, ethical and governance challenges. Springer Berlin Heidelberg. pp. 165–180. doi:10.1007/978-3-642-22474-4_7. ISBN 9783642224744.
- Vedder, A.; Cuijpers, C.; Vantsiouri, P.; Ferrari, M.Z. (2014). "The Law as a ‘Catalyst and Facilitator’ for Trust in E-Health: Challenges and Opportunities". Law, Innovation and Technology 6 (2): 305–325. doi:10.5235/175799188.8.131.525.
- Kolitsi, Z.; Thonnet, M. (2014). "New Directions in eHealth Governance in Europe". In Rosenmöller, M.; Whitehouse, D.; Wilson, P.. Managing eHealth: From vision to reality. Palgrave Macmillan UK. pp. 50–60. doi:10.1057/9781137379443_5. ISBN 9781137379443.
- Stroetmann, K.A. (2014). "Scoping global good eHealth platforms: Implications for sub-Saharan Africa". IST-Africa Conference Proceedings: 1–10. doi:10.1109/ISTAFRICA.2014.6880601. ISBN 9781905824434.
- Nilsson, C. (16 December 2013). "Gamification förnyar vården". IT i Vården. http://itivarden.idg.se/2.2898/1.539129/gamification-fornyar-varden. Retrieved 27 April 2016.
- Brown-Johnson, C.G.; Berrean, B.; Cataldo, J.K. (2015). "Development and usability evaluation of the mHealth Tool for Lung Cancer (mHealth TLC): A virtual world health game for lung cancer patients". Patient Education and Counseling 98 (4): 506–511. doi:10.1016/j.pec.2014.12.006. PMC PMC4451946. PMID 25620075. http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pmcentrez&artid=PMC4451946.
- Varvasovszky, Z.; Brugha, R. (2000). "How to do (or not to do)… A stakeholder analysis". Health Policy and Planning 15 (3): 338–45. doi:10.1093/heapol/15.3.338. PMID 11012410.
- Lindberg, S.; Wärnestål, P.; Nygren, J.; Svedberg, P. (2014). "Designing digital peer support for children: Design patterns for social interaction". IDC '13: Proceedings of the 12th International Conference on Interaction Design and Children: 47–56. doi:10.1145/2593968.2593972.
- Wärnestål, P.; Nygren, J. (2013). "Building an experience framework for a digital peer support service for children surviving from cancer". IDC '14: Proceedings of the 2014 Conference on Interaction Design and Children: 269-272. doi:10.1145/2485760.2485794.
- Wärnestål, P.; Svedberg, P.; Nygren, J. (2014). "Co-constructing child personas for health-promoting services with vulnerable children". CHI '14: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems: 3767-3776. doi:10.1145/2556288.2557115.
- Silverman, D. (2013). Doing Qualitative Research: A Practical Handbook. Sage Publications, Ltd. pp. 488. ISBN 9781446260159.
- Waters, J. (2015). "Snowball sampling: A cautionary tale involving a study of older drug users". International Journal of Social Research Methodology 18 (4): 367–380. doi:10.1080/13645579.2014.953316.
- Kolko, J. (2011). Exposing the Magic of Design: A Practitioner's Guide to the Methods and Theory of Synthesis. Oxford University Press. pp. 208. ISBN 9780199744336.
- Lindström, K. (23 August 2013). "Spel vill få en plats i vården". Computer Sweden. IDG.
eHealth: electronic health
EU: European Union
ICT: information and communications technology
LCDH Framework: Legal Challenges in Digital Health Framework
mHealth: mobile health
This presentation is faithful to the original, with only a few minor changes to presentation. In several cases the PubMed ID was missing and was added to make the reference more useful. Several grammar errors were corrected, particularly in Table 2 and the following sections.
Per the distribution agreement, the following copyright information is also being added:
©Cecilia Garell, Petra Svedberg, Jens M Nygren. Originally published in JMIR Medical Informatics (http://medinform.jmir.org), 25.05.2016.