Skip to main content
SpringerLink
Log in

Laws and Regulations for Digital Health

  • Chapter
  • First Online:
Requirements Engineering for Digital Health

Abstract

Traditional health care is being transformed into digital health care through eHealth applications, mobile health delivery, personalized medicine, and social media. The area of health care is heavily regulated. Hence, the design and implementation of the innovative eHealth solutions must account for conventional health law. Translating legal norms into features of design and implementation may prove difficult. The aim of this chapter is to facilitate this process and make first steps towards a methodology for interpretation of legal and regulatory rules into engineering requirements. This chapter has presented an integrated approach to legal requirements engineering in the context of eHealth, bringing together a methodology for mapping existing legal and regulatory landscape and the strategies to interface the identified rules into design of the eHealth technology and processes. Drawing on earlier work of Koops (Law and technology: The challenge of regulating technological, Pisa: Pisa University Press, 37–57), we provide the eHealth stakeholders with a toolkit to map, analyze and apply the laws and regulations in order to achieve compliance. The chapter outlines a taxonomy for descriptive research in law and technology as a tool to map the regulatory field in their specific domain. It then proceeds to illustrate how the tool is to be applied and provides a non-exhaustive overview and analysis of the legal rules relevant for eHealth in Europe, with a focus on the safety and performance requirements to eHealth applications and platforms, and on data protection rights of the eHealth users. Further, we elucidate the role that the compliance-by-design strategies have in engineering legal requirements into the eHealth technology design and processes. It is suggested that the eHealth developers, sellers, and service providers engage in compliance by design in order to ensure and demonstrate compliance with the regulatory landscape.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    www.fi-star.eu/

  2. 2.

    ‘Personal data’ is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (Art. 2 (a) DPD).

  3. 3.

    Directive 1995/46/EC, Official Journal 1995, L281/31.

  4. 4.

    European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM(2012) 11 final – 2012/0011 (COD), 25.01.2012.

  5. 5.

    EEA includes all EU member states (except Croatia, whose accession to the EEA is not yet finalized at the moment of writing) and Norway, Liechtenstein, and Iceland.

  6. 6.

    Sect. 3.3.2.1 for the definition of the medical device.

  7. 7.

    Directive 2011/24/EU (Patients’ Rights Directive), Official Journal 2011, L88/45.

  8. 8.

    Helsinki Declaration establishing Ethical Principles for Medical Research Involving Human Subjects adopted by the 18th World Medical Assembly in Helsinki, Finland, in 1964, as last amended by the World Medical Assembly (the ‘Helsinki Declaration’).

  9. 9.

    Directive 2011/24/EU (Patients’ Rights Directive), Official Journal 2011, L88/45.

  10. 10.

    See Sect. 3.3.2 for safety and performance requirements to medical devices.

  11. 11.

    Directive 2001/95/EC of the European Parliament and the Council of 3 December 2001 on general product safety, Official Journal 11 l11/4, 15.1.2002.

  12. 12.

    See the Proposal for a Regulation on medical devices and a Proposal for a Regulation on in vitro diagnostic medical devices (available at http://ec.europa.eu/health/medical-devices/documents/revision/index_en.htm), to replace the existing three directives.

  13. 13.

    Guidelines on the qualification and classification of stand-alone software used in healthcare within the regulatory framework of medical devices, MEDDEV 2.1/6 January 2012 (‘MEDDEV 2.1/6 January 2012’).

  14. 14.

    ‘Device intended for clinical investigation’ means any device intended for use by a duly qualified medical practitioner when conducting investigations as referred to in Section 2.1 of Annex X in an adequate human clinical environment (Article 1(2)(e) MDD).

  15. 15.

    meaning ‘the first [made] available in return for payment or free of charge of a device other than a device intended for clinical investigation, with a view to distribution and/or use on the Community market, regardless of whether it is new or fully refurbished’ (Article 1(2)(h) MDD).

  16. 16.

    meaning ‘made available to the final user as being ready for use on the Community market for the first time for its intended purpose’ (Article 1(2)(i) MDD).

  17. 17.

    Annex IX MDD establishes the criteria of classification. In June 2010 the Commission adopted guidelines on classification of medical devices (European Commission, “Medical devices: Guidance document – Classification of medical devices,” Guidelines relating to the application of the Council Directive 93/42/EEC on medical devices, MEDDEV 2. 4/1 Rev. 9 June 2010, available at http://ec.europa.eu/health/medical-devices/files/meddev/2_4_1_rev_9_classification_en.pdf).

  18. 18.

    The most recent list of the harmonized standards is to be found in the Commission communication in the framework of the implementation of the Council Directive 93/42/EEC of 14 June 1993 concerning medical devices of 24 January 2013, Official Journal of the European Union 2013/C 22/02 (at http://ec.europa.eu/enterprise/policies/european-standards/harmonised-standards/medical-devices/index_en.htm).

  19. 19.

    Section 3.4.2.

  20. 20.

    Although Article 20 of the Data Protection Directive on prior checking when data processing presents specific risks is considered a predecessor to PIA.

  21. 21.

    The overview below is based on the list of benefits described by Wright [33].

  22. 22.

    Privacy and Data Protection Impact Assessment Framework for RFID Applications, transmitted to Article 29 Working Party on 12 January 2011 (‘RFID PIA Framework’), available online at www.cordis.europa.eu

  23. 23.

    The RFID PIA framework endorsed by the Art 29 WP (Opinion 9/2011 on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications, WP 180) and was officially signed on 6 April 2011, www.ec.europa.eu/information_society/policy/rfid/documents/rfidpiapressrelease.pdf

  24. 24.

    The RFID framework was endorsed after a round of revision, incorporating the feedback given in WP 175.

  25. 25.

    Some examples of ‘controls’ are given in Annex IV to the RFID PIA Framework.

  26. 26.

    WP 180, p. 5, e.g., unauthorized monitoring of RFID tags (WP 175, p. 9).

  27. 27.

    ISO/IEC 27005:2008 definition of risks cited in WP 205, p. 7.

  28. 28.

    The endorsed RFID PIA Framework could be used as a model of a comprehensive PIA framework. It provides guidance how to describe the technology subject of evaluation (Annex I); privacy targets based on the Data protection directive 95/46/EC (Annex II); possible privacy risks in the area of RFID (Annex III); and a list of examples of RFID application controls and mitigating measures, both technical and organizational (Annex IV).

  29. 29.

    ISO/IEC 27001:2005, Information technology—Security techniques—Information security management systems—Requirements.

  30. 30.

    European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)).

  31. 31.

    For an overview of all 7 principles: IESO (2011), 12–13.

  32. 32.

    IESO(2011), 5.

  33. 33.

    Directive 2004/17/EC of the European Parliament and of the Council of 31 March 2004 coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sectors, OJ L 134, 30.4.2004, p. 1–113.

    Directive 2004/18/EC of the European Parliament and of the Council of 31 March 2004 on the coordination of procedures for the award of public works contracts, public supply contracts and public service contracts, OJ L 134, 30.4.2004, p. 114–240.

  34. 34.

    Directive 2011/83/EC on consumers’ rights repealing Directive 97/7/EC as of 13 June 2014.

  35. 35.

    Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market.

  36. 36.

    Directive 97/7/EC of the European Parliament and of the Council of 20 May 1997 on the protection of consumers in respect of distance contracts, OJ L 144, 04/06/1997, p. 19–27, available at http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31997L0007.

  37. 37.

    Council Directive 85/577/EEC of 20 December 1985 to protect the consumer in respect of contracts negotiated away from business premises, Official Journal L 372, 31/12/1985 P. 0031 – 0033, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31985L0577:en:HTML.

  38. 38.

    Council Directive 85/374/EEC on liability for defective products, Official Journal 1985, L210/29.

References

  1. Article 29 Working Party (2001) Opinion 8/2001 on the processing of personal data in the employment context. (WP 84)

    Google Scholar 

  2. Article 29 Working Party (2007) Working document on the processing of personal data relating to health in electronic health records (EHR). Adopted on 2007 (WP 131)

    Google Scholar 

  3. Article 29 Working Party (2007) Opinion 4/2007 on the concept of personal data (WP 136)

    Google Scholar 

  4. Article 29 Working Party (2010) Opinion 1/2010 on the concepts of controller and processor (WP 169)

    Google Scholar 

  5. Article 29 Working Party (2010) Opinion 5/2010 on the industry proposal for a privacy and data protection impact assessment framework for RFID applications (WP 175)

    Google Scholar 

  6. Article 29 Working Party (2011) Opinion 9/2011 on the revised industry proposal for a privacy and data protection impact assessment framework for RFID applications (WP 180)

    Google Scholar 

  7. Article 29 Working Party (2012) Working document 01/2012 on epSOS. Adopted on 25 January 2012 (WP 189)

    Google Scholar 

  8. Article 29 Working Party (2013) Opinion 02/2013 on apps on smart devices. Adopted on 27 February 2013 (WP 202)

    Google Scholar 

  9. Article 29 Working Party (2013) Opinion 03/2013 on purpose limitation. Adopted on 2 April 2013 (WP 203)

    Google Scholar 

  10. Article 29 Working Party (2013) Opinion 04/2013 on the data protection impact assessment template for smart grid and smart metering systems (‘DPIA Template’) prepared by Expert Group 2 of the Commission’s Smart Grid Task Force. Adopted on 22 April 2013 (WP 205)

    Google Scholar 

  11. Brownsword R (2008) Rights, regulation and the technological revolution. Oxford University Press, Oxford

    Book  Google Scholar 

  12. Bygrave L (2002) Data protection law: approaching its rationale, logic and limits. Kluwer Law International, New York, NY

    Google Scholar 

  13. Committee on Civil Liberties, Justice and Home Affairs (2013) Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)) 21 November 2013

    Google Scholar 

  14. Dumortier J, Goemans C (2004) Privacy protection and identity management. In: Blažič B, Schneider W (eds) Security and privacy in advanced networking technologies. Ios Press, Amsterdam

    Google Scholar 

  15. ENISA (2011) Smartphone secure development guideline. http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/smartphone-security-1/smartphone-secure-development-guidelines

  16. European Commission (2014) Commission staff working document on existing EU legal framework applicable to lifestyle and wellbeing apps, Accompanying the document Green Paper on mobile Health (“mHealth”), COM(2014) 219 final, Brussels, 10 April 2014 (‘Staff Working Document’)

    Google Scholar 

  17. Gellert R, Kloza D (2012) Can privacy impact assessment mitigate civil liability? A precautionary approach. In: Schweighofer E, Kummer F, Hötzendorfer W (eds) Transformation juristischer Sprachen, from Tagungsband des 15. Internationalen Rechtsinformatik Symposions IRIS 2012. Osterreichische Computer Gesellschaft, Vienna, pp 497–505

    Google Scholar 

  18. Guidelines on the qualification and classification of stand-alone software used in healthcare within the regulatory framework of medical devices, MEDDEV 2.1/6, January 2012 (‘MEDDEV 2.1/6 January 2012’)

    Google Scholar 

  19. Hervey T, Trubek G (2007) Freedom to provide health care services within the EU: an opportunity for a transformative directive. Columbia J Eur Law 13:624ff

    Google Scholar 

  20. Koops B-J (2013) A taxonomy for descriptive research in law and technology. In: Palmerini E, Stradella E (eds) Law and technology: the challenge of regulating technological. Pisa University Press, Pisa, pp 37–57

    Google Scholar 

  21. Koops B-J, Leenes R (2013) Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law. Int Rev Law Comp Tech 28(2):159

    Article  Google Scholar 

  22. Korff D (2008) Data protection laws in the European Union. FEDM

    Google Scholar 

  23. Kuner C (2008) European data protection law – corporate compliance and regulation. Oxford University Press, Oxford

    Google Scholar 

  24. Lohmann N (2013) Compliance by design for artifact based business processes. Inf Syst 38(4):606

    Article  Google Scholar 

  25. Löhr H, Sadeghi A-R, Winandy M (2010) Securing the e-health cloud. In: Proceedings of the 1st ACM international health informatics symposium, ser. IHI’10. ACM, New York, NY

    Google Scholar 

  26. Lear J, Mossialos E, Karl B (2010) EU competition law and health policy. In: Mossialos E, Permanand G, Baeten R, Hervey T (eds) Health systems governance in Europe. Cambridge UP, Cambridge

    Google Scholar 

  27. Mossialos E et al (eds) (2010) Health systems governance in Europe. Cambridge UP, Cambridge, Chapters 10–12

    Google Scholar 

  28. Otto PN, Anton IA (2007) Addressing legal requirements in requirements engineering. In: 5th IEEE international requirements engineering conference (RE 2007). IEEE, Washington, DC

    Google Scholar 

  29. Oudshoorn N, Rommes E, Stienstra M (2004) Configuring the user as everybody: gender and design cultures in information and communication technologies. Sci Tech Hum Val 29(1):30–63

    Article  Google Scholar 

  30. Article 29 Working Party (2011) Privacy and data protection impact assessment framework for RFID applications. Transmitted on 12 January 2011 (‘RFID PIA Framework’). Available from: www.cordis.europa.eu

  31. Prosser T (2010) EU competition law and public services. In: Mossialos E, Permanand G, Baeten R, Hervey T (eds) Health systems governance in europe. Cambridge UP, Cambridge, pp 315–336

    Chapter  Google Scholar 

  32. Vedder AH, Vantsiouri P. Building trust in E-Health Services, unpublished

    Google Scholar 

  33. Wright D (2012) The state of the art in privacy impact assessment. Comp Law Secur Rev 28:54

    Article  Google Scholar 

  34. Wright D, De Hert P (eds) (2010) Privacy impact assessment. Springer, Dordrecht

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. TILT – Tilburg Institute for Law, Technology, and Society, Tilburg University, Tilburg, The Netherlands

    Nadezhda Purtova, Eleni Kosta & Bert-Jaap Koops

Authors
  1. Nadezhda Purtova
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eleni Kosta
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bert-Jaap Koops
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nadezhda Purtova .

Editor information

Editors and Affiliations

  1. Blekinge Institute of Technology, Karlskrona, Sweden

    Samuel A. Fricker

  2. Edinburgh Napier University, Edinburgh, United Kingdom

    Christoph Thümmler

  3. Eurescom GmbH, Heidelberg, Germany

    Anastasius Gavras

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Purtova, N., Kosta, E., Koops, BJ. (2015). Laws and Regulations for Digital Health. In: Fricker, S., Thümmler, C., Gavras, A. (eds) Requirements Engineering for Digital Health. Springer, Cham. https://doi.org/10.1007/978-3-319-09798-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-09798-5_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-09797-8

  • Online ISBN: 978-3-319-09798-5

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation