Abstract
Traditional health care is being transformed into digital health care through eHealth applications, mobile health delivery, personalized medicine, and social media. The area of health care is heavily regulated. Hence, the design and implementation of the innovative eHealth solutions must account for conventional health law. Translating legal norms into features of design and implementation may prove difficult. The aim of this chapter is to facilitate this process and make first steps towards a methodology for interpretation of legal and regulatory rules into engineering requirements. This chapter has presented an integrated approach to legal requirements engineering in the context of eHealth, bringing together a methodology for mapping existing legal and regulatory landscape and the strategies to interface the identified rules into design of the eHealth technology and processes. Drawing on earlier work of Koops (Law and technology: The challenge of regulating technological, Pisa: Pisa University Press, 37–57), we provide the eHealth stakeholders with a toolkit to map, analyze and apply the laws and regulations in order to achieve compliance. The chapter outlines a taxonomy for descriptive research in law and technology as a tool to map the regulatory field in their specific domain. It then proceeds to illustrate how the tool is to be applied and provides a non-exhaustive overview and analysis of the legal rules relevant for eHealth in Europe, with a focus on the safety and performance requirements to eHealth applications and platforms, and on data protection rights of the eHealth users. Further, we elucidate the role that the compliance-by-design strategies have in engineering legal requirements into the eHealth technology design and processes. It is suggested that the eHealth developers, sellers, and service providers engage in compliance by design in order to ensure and demonstrate compliance with the regulatory landscape.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
‘Personal data’ is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (Art. 2 (a) DPD).
- 3.
Directive 1995/46/EC, Official Journal 1995, L281/31.
- 4.
European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM(2012) 11 final – 2012/0011 (COD), 25.01.2012.
- 5.
EEA includes all EU member states (except Croatia, whose accession to the EEA is not yet finalized at the moment of writing) and Norway, Liechtenstein, and Iceland.
- 6.
Sect. 3.3.2.1 for the definition of the medical device.
- 7.
Directive 2011/24/EU (Patients’ Rights Directive), Official Journal 2011, L88/45.
- 8.
Helsinki Declaration establishing Ethical Principles for Medical Research Involving Human Subjects adopted by the 18th World Medical Assembly in Helsinki, Finland, in 1964, as last amended by the World Medical Assembly (the ‘Helsinki Declaration’).
- 9.
Directive 2011/24/EU (Patients’ Rights Directive), Official Journal 2011, L88/45.
- 10.
See Sect. 3.3.2 for safety and performance requirements to medical devices.
- 11.
Directive 2001/95/EC of the European Parliament and the Council of 3 December 2001 on general product safety, Official Journal 11 l11/4, 15.1.2002.
- 12.
See the Proposal for a Regulation on medical devices and a Proposal for a Regulation on in vitro diagnostic medical devices (available at http://ec.europa.eu/health/medical-devices/documents/revision/index_en.htm), to replace the existing three directives.
- 13.
Guidelines on the qualification and classification of stand-alone software used in healthcare within the regulatory framework of medical devices, MEDDEV 2.1/6 January 2012 (‘MEDDEV 2.1/6 January 2012’).
- 14.
‘Device intended for clinical investigation’ means any device intended for use by a duly qualified medical practitioner when conducting investigations as referred to in Section 2.1 of Annex X in an adequate human clinical environment (Article 1(2)(e) MDD).
- 15.
meaning ‘the first [made] available in return for payment or free of charge of a device other than a device intended for clinical investigation, with a view to distribution and/or use on the Community market, regardless of whether it is new or fully refurbished’ (Article 1(2)(h) MDD).
- 16.
meaning ‘made available to the final user as being ready for use on the Community market for the first time for its intended purpose’ (Article 1(2)(i) MDD).
- 17.
Annex IX MDD establishes the criteria of classification. In June 2010 the Commission adopted guidelines on classification of medical devices (European Commission, “Medical devices: Guidance document – Classification of medical devices,” Guidelines relating to the application of the Council Directive 93/42/EEC on medical devices, MEDDEV 2. 4/1 Rev. 9 June 2010, available at http://ec.europa.eu/health/medical-devices/files/meddev/2_4_1_rev_9_classification_en.pdf).
- 18.
The most recent list of the harmonized standards is to be found in the Commission communication in the framework of the implementation of the Council Directive 93/42/EEC of 14 June 1993 concerning medical devices of 24 January 2013, Official Journal of the European Union 2013/C 22/02 (at http://ec.europa.eu/enterprise/policies/european-standards/harmonised-standards/medical-devices/index_en.htm).
- 19.
Section 3.4.2.
- 20.
Although Article 20 of the Data Protection Directive on prior checking when data processing presents specific risks is considered a predecessor to PIA.
- 21.
The overview below is based on the list of benefits described by Wright [33].
- 22.
Privacy and Data Protection Impact Assessment Framework for RFID Applications, transmitted to Article 29 Working Party on 12 January 2011 (‘RFID PIA Framework’), available online at www.cordis.europa.eu
- 23.
The RFID PIA framework endorsed by the Art 29 WP (Opinion 9/2011 on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications, WP 180) and was officially signed on 6 April 2011, www.ec.europa.eu/information_society/policy/rfid/documents/rfidpiapressrelease.pdf
- 24.
The RFID framework was endorsed after a round of revision, incorporating the feedback given in WP 175.
- 25.
Some examples of ‘controls’ are given in Annex IV to the RFID PIA Framework.
- 26.
WP 180, p. 5, e.g., unauthorized monitoring of RFID tags (WP 175, p. 9).
- 27.
ISO/IEC 27005:2008 definition of risks cited in WP 205, p. 7.
- 28.
The endorsed RFID PIA Framework could be used as a model of a comprehensive PIA framework. It provides guidance how to describe the technology subject of evaluation (Annex I); privacy targets based on the Data protection directive 95/46/EC (Annex II); possible privacy risks in the area of RFID (Annex III); and a list of examples of RFID application controls and mitigating measures, both technical and organizational (Annex IV).
- 29.
ISO/IEC 27001:2005, Information technology—Security techniques—Information security management systems—Requirements.
- 30.
European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)).
- 31.
For an overview of all 7 principles: IESO (2011), 12–13.
- 32.
IESO(2011), 5.
- 33.
Directive 2004/17/EC of the European Parliament and of the Council of 31 March 2004 coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sectors, OJ L 134, 30.4.2004, p. 1–113.
Directive 2004/18/EC of the European Parliament and of the Council of 31 March 2004 on the coordination of procedures for the award of public works contracts, public supply contracts and public service contracts, OJ L 134, 30.4.2004, p. 114–240.
- 34.
Directive 2011/83/EC on consumers’ rights repealing Directive 97/7/EC as of 13 June 2014.
- 35.
Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market.
- 36.
Directive 97/7/EC of the European Parliament and of the Council of 20 May 1997 on the protection of consumers in respect of distance contracts, OJ L 144, 04/06/1997, p. 19–27, available at http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31997L0007.
- 37.
Council Directive 85/577/EEC of 20 December 1985 to protect the consumer in respect of contracts negotiated away from business premises, Official Journal L 372, 31/12/1985 P. 0031 – 0033, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31985L0577:en:HTML.
- 38.
Council Directive 85/374/EEC on liability for defective products, Official Journal 1985, L210/29.
References
Article 29 Working Party (2001) Opinion 8/2001 on the processing of personal data in the employment context. (WP 84)
Article 29 Working Party (2007) Working document on the processing of personal data relating to health in electronic health records (EHR). Adopted on 2007 (WP 131)
Article 29 Working Party (2007) Opinion 4/2007 on the concept of personal data (WP 136)
Article 29 Working Party (2010) Opinion 1/2010 on the concepts of controller and processor (WP 169)
Article 29 Working Party (2010) Opinion 5/2010 on the industry proposal for a privacy and data protection impact assessment framework for RFID applications (WP 175)
Article 29 Working Party (2011) Opinion 9/2011 on the revised industry proposal for a privacy and data protection impact assessment framework for RFID applications (WP 180)
Article 29 Working Party (2012) Working document 01/2012 on epSOS. Adopted on 25 January 2012 (WP 189)
Article 29 Working Party (2013) Opinion 02/2013 on apps on smart devices. Adopted on 27 February 2013 (WP 202)
Article 29 Working Party (2013) Opinion 03/2013 on purpose limitation. Adopted on 2 April 2013 (WP 203)
Article 29 Working Party (2013) Opinion 04/2013 on the data protection impact assessment template for smart grid and smart metering systems (‘DPIA Template’) prepared by Expert Group 2 of the Commission’s Smart Grid Task Force. Adopted on 22 April 2013 (WP 205)
Brownsword R (2008) Rights, regulation and the technological revolution. Oxford University Press, Oxford
Bygrave L (2002) Data protection law: approaching its rationale, logic and limits. Kluwer Law International, New York, NY
Committee on Civil Liberties, Justice and Home Affairs (2013) Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)) 21 November 2013
Dumortier J, Goemans C (2004) Privacy protection and identity management. In: Blažič B, Schneider W (eds) Security and privacy in advanced networking technologies. Ios Press, Amsterdam
ENISA (2011) Smartphone secure development guideline. http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/smartphone-security-1/smartphone-secure-development-guidelines
European Commission (2014) Commission staff working document on existing EU legal framework applicable to lifestyle and wellbeing apps, Accompanying the document Green Paper on mobile Health (“mHealth”), COM(2014) 219 final, Brussels, 10 April 2014 (‘Staff Working Document’)
Gellert R, Kloza D (2012) Can privacy impact assessment mitigate civil liability? A precautionary approach. In: Schweighofer E, Kummer F, Hötzendorfer W (eds) Transformation juristischer Sprachen, from Tagungsband des 15. Internationalen Rechtsinformatik Symposions IRIS 2012. Osterreichische Computer Gesellschaft, Vienna, pp 497–505
Guidelines on the qualification and classification of stand-alone software used in healthcare within the regulatory framework of medical devices, MEDDEV 2.1/6, January 2012 (‘MEDDEV 2.1/6 January 2012’)
Hervey T, Trubek G (2007) Freedom to provide health care services within the EU: an opportunity for a transformative directive. Columbia J Eur Law 13:624ff
Koops B-J (2013) A taxonomy for descriptive research in law and technology. In: Palmerini E, Stradella E (eds) Law and technology: the challenge of regulating technological. Pisa University Press, Pisa, pp 37–57
Koops B-J, Leenes R (2013) Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law. Int Rev Law Comp Tech 28(2):159
Korff D (2008) Data protection laws in the European Union. FEDM
Kuner C (2008) European data protection law – corporate compliance and regulation. Oxford University Press, Oxford
Lohmann N (2013) Compliance by design for artifact based business processes. Inf Syst 38(4):606
Löhr H, Sadeghi A-R, Winandy M (2010) Securing the e-health cloud. In: Proceedings of the 1st ACM international health informatics symposium, ser. IHI’10. ACM, New York, NY
Lear J, Mossialos E, Karl B (2010) EU competition law and health policy. In: Mossialos E, Permanand G, Baeten R, Hervey T (eds) Health systems governance in Europe. Cambridge UP, Cambridge
Mossialos E et al (eds) (2010) Health systems governance in Europe. Cambridge UP, Cambridge, Chapters 10–12
Otto PN, Anton IA (2007) Addressing legal requirements in requirements engineering. In: 5th IEEE international requirements engineering conference (RE 2007). IEEE, Washington, DC
Oudshoorn N, Rommes E, Stienstra M (2004) Configuring the user as everybody: gender and design cultures in information and communication technologies. Sci Tech Hum Val 29(1):30–63
Article 29 Working Party (2011) Privacy and data protection impact assessment framework for RFID applications. Transmitted on 12 January 2011 (‘RFID PIA Framework’). Available from: www.cordis.europa.eu
Prosser T (2010) EU competition law and public services. In: Mossialos E, Permanand G, Baeten R, Hervey T (eds) Health systems governance in europe. Cambridge UP, Cambridge, pp 315–336
Vedder AH, Vantsiouri P. Building trust in E-Health Services, unpublished
Wright D (2012) The state of the art in privacy impact assessment. Comp Law Secur Rev 28:54
Wright D, De Hert P (eds) (2010) Privacy impact assessment. Springer, Dordrecht
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Purtova, N., Kosta, E., Koops, BJ. (2015). Laws and Regulations for Digital Health. In: Fricker, S., Thümmler, C., Gavras, A. (eds) Requirements Engineering for Digital Health. Springer, Cham. https://doi.org/10.1007/978-3-319-09798-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-09798-5_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-09797-8
Online ISBN: 978-3-319-09798-5
eBook Packages: EngineeringEngineering (R0)