PMCCPMCCPMCC

Search tips
Search criteria 

Advanced

 
Logo of medinformJMIRAboutSearchArchiveCurrent IssueSubmitEditorial Board
 
JMIR Med Inform. 2016 Apr-Jun; 4(2): e17.
Published online 2016 May 25. doi:  10.2196/medinform.5401
PMCID: PMC4909384

A Legal Framework to Support Development and Assessment of Digital Health Services

Monitoring Editor: Gunther Eysenbach
Reviewed by Maurits Graafland and Chris Hardesty
Cecilia Garell, MSc,1 Petra Svedberg, RN, PhD,1 and Jens M Nygren, MSc, PhDcorresponding author1

Abstract

Background

Digital health services empower people to track, manage, and improve their own health and quality of life while delivering a more personalized and precise health care, at a lower cost and with higher efficiency and availability. Essential for the use of digital health services is that the treatment of any personal data is compatible with the Patient Data Act, Personal Data Act, and other applicable privacy laws.

Objective

The aim of this study was to develop a framework for legal challenges to support designers in development and assessment of digital health services.

Methods

A purposive sampling, together with snowball recruitment, was used to identify stakeholders and information sources for organizing, extending, and prioritizing the different concepts, actors, and regulations in relation to digital health and health-promoting digital systems. The data were collected through structured interviewing and iteration, and 3 different cases were used for face validation of the framework.

Results

A framework for assessing the legal challenges in developing digital health services (Legal Challenges in Digital Health [LCDH] Framework) was created and consists of 6 key questions to be used to evaluate a digital health service according to current legislation.

Conclusions

Structured discussion about legal challenges in relation to health-promoting digital services can be enabled by a constructive framework to investigate, assess, and verify the digital service according to current legislation. The LCDH Framework developed in this study proposes such a framework and can be used in prospective evaluation of the relationship of a potential health-promoting digital service with the existing laws and regulations

Keywords: digital health, legal aspects, technological innovations

Introduction

Through the use of wireless devices, sensor technologies, the Internet, social networks, health information technology (IT), and personal health data, digital health services empower people to track, manage, and improve their own health and quality of life. At the same time, these services provide a more personalized and precise health care delivery, at a lower cost and with higher efficiency and availability [1]. An emerging area at the intersection of informatics, health care, and business is electronic health (eHealth) [2], which encompasses the mediation and interaction between health care and the individual via information and communication technology (ICT) [3]. Although the extent of implementation and application of eHealth systems vary, the overall goal is the same: using ICT to provide better care more efficiently at a lower cost [4]. Mobile health (mHealth), as a component of eHealth, involves the use and capitalization on mobile devices [5] and encompasses any use of mobile technology to address health care challenges such as access, quality, affordability, matching of resources, and behavioral norms [6]. The use of mHealth offers great opportunities by allowing asynchronous and remote care [7] to an extensive number of potential users [5]. Applications for mHealth serve a variety of functions: providing easy access to medical information about the symptoms and treatment of various diseases or allowing patients to track clinical measurements that can be sent to the care provider [6]. These applications could change the nature of health care [8] by using technology to increase patient engagement, improve care quality, transform care processes [6], reduce health care costs, and minimize human error [9].

Essential for the use of all digital health services is that the treatment of any personal data is compatible with the Patient Data Act, Personal Data Act, and other applicable privacy laws. The European Commission has declared its intention to drive greater legal certainty in the digital health domain, and through the Directive 2011/24/European Union (EU), for the first time, it has placed eHealth in a legal context, requiring member states to cooperate with interoperability standards to allow full use of eHealth services across EU borders [10]. Although some significant steps have been taken toward attaining this goal, the questions of liability for eHealth goods and services are still not fully addressed on EU level legislation. The lack of a fully worked out EU level framework illustrates the difficulties in pinpointing key concepts in relation to this rapidly evolving market. In response to this, the eHealth Authority was formed in Sweden in 2014 with responsibility for registries and the heterogeneity and variety of IT functions developed within Swedish health care.

While the authorities investigate and consider the technological capabilities of eHealth services in the intersection of health care quality, patient safety, ethics and legal matters, new IT services, and mobile applications are advancing dramatically. The focus for the regulatory authorities should be to streamline the regulatory processes and promote innovation [11], but because regulation and legislation are still behind, governmental authorities are forced to handle many issues in this domain case by case [10]. This implicates that designers of digital health services need to acquire knowledge about relevant regulation and legislation and how to relate to and act on such regulation [12]. A legal framework that could guide designers through these legal challenges, together with an understanding of the definitions of the concepts [13], would both simplify and speed up development of digital health solutions [14] and promote involvement of designers with experience from digital service design [15] in the development of new digital health services. The aim of this study was to develop such a framework to support designers in development and assessment of digital health services.

Methods

The study design was based on a stakeholder analysis approach for generating knowledge about actors to understand their intentions, interrelations, and interests and for assessing their influence on legal challenges in development of digital health services [16]. Data obtained from interviews with relevant authorities and organizations together with information about concepts and regulations in relation to digital health services were analyzed and structured to create a framework for legal challenges.

Case and Framing

A framing of the questions about legal challenges and key concepts relevant to development of digital health services was discussed in the project group and with a consulting firm (Carmona AB) with expertise in the field of Web-based services and information solutions for handling of patient data and quality control. The consulting firm is in the forefront of developing such services in accordance with current legislation and in development of new practices and legislation. In this communication, we used data from our development of a digital service for play and interaction between children, aged 8-12 years, who have survived from childhood cancer treatment to frame legal challenges and key concepts [17]. The case was described by a concept description [18] and use experience descriptions through Persona characters and use scenarios [19].

On the basis of this, a basic understanding of the domain was formed, and a major law firm, with experience of legal issues in health care and a jurisconsult responsible for privacy and patient safety issues at the county council, was consulted with the intention to extend knowledge and our preunderstanding of the legal challenges and key concepts in this domain. A first draft was conceived, of a legal framework with relevant concepts, laws, and agencies or organizations involved in the care of the target group, or with regulatory or supervisory responsibility.

Information Sources

A purposive sampling [20] was used to identify stakeholders and information sources for organizing, extending, and prioritizing the different components of the framework guided by the case. The first contacted stakeholders referred to other stakeholders, that is, a snowball recruitment [21]. The information sources identified and used are listed in Table 1.

Table 1
Identified actors, organizations, and authorities, and their area of expertise, to be considered in the following investigation.

Data Collection

Identified websites of organizations, authorities and different operators or actors, and functions were screened for information about concepts and regulations in relation to digital health services. Stakeholders were interviewed about their relationship to eHealth and digital health services (Table 1). Interviewees were representatives from the County Council Board on Coordination of Information Safety, The National Board, The Data Inspection Authority, eHealth Authority, and Inspection Authority for Health Care. Interviews were performed, with 1 person from each of the aforementioned organizations, over phone (approximately 30 minutes) and repeated if new questions appeared. The topics in the semistructured interview guide were as follows: (1) Relationship to digital health services; (2) the authority’s function, assignment, and work for digital health services; (3) regulations that govern the work; and finally (4) other relevant information sources we should approach. In cases where we wanted to get the data confirmed in writing, follow-up questions were sent by email to the respective informant.

Data Analysis

The meaning out of the data was made in a systematical way to discover the relevant concepts and relationships among the input [22]. All data inputs, such as questions, concept descriptions, laws and regulations, and functions, were put on post-it notes by the main author and structured on different levels and in relation to each other, and an affinity diagram was formed and discussed between all authors. The insights gained were used as a starting point for a framework for assessing the legal challenges in developing health-promoting digital services. The framework was iteratively verified against the project group and stakeholders (the Data Inspection Authority and eHealth Authority) and finally validated against three cases of digital health services.

Results

Identification of Concepts and Regulations

The identified concepts to consider in this domain are: medical device, eHealth, medical responsibility, care damage, personal data, and consent. The concepts, their definitions, and relevant regulations identified during data collection and the subsequent analysis are listed in Table 2. Concepts and regulations that were identified during data collection but were not found to be relevant for framing of legal challenges from the perspective of development of digital health services are not included in this compilation, such as: health care quality registries, the law on drug lists, and the regulations of The National Board of Health and Welfare.

Table 2
The Legal Challenges in Digital Health (LCDH) Framework for exploring a prospective health promoting digital service’s relationship to valid regulations.

Structure of Concepts and Regulations Into a Framework

On the basis of the identified concepts, regulations, and stakeholders, we designed a framework for assessing the legal challenges in developing digital health services (Legal Challenges in Digital Health [LCDH] Framework) consisting of 6 key questions to be used in prospective evaluation of the relationship of a digital health service to existing laws and regulations (Table 2). The questions are sequentially arranged so that affirmative responses gradually delineate which parts of the law apply to a certain digital health service. Negative responses to the same questions show which laws and regulations that each service is exempt from.

Validation of the Framework

The accuracy and quality of the LCDH Framework were assessed by the Swedish Data Inspection Authority and eHealth Authority and, finally, by the consulting firm, the law firm, and the jurisconsult involved in the framing of the data collection. The reviewed and iteratively revised framework was confirmed to be in accordance with current regulation, law and practice, and experience of these stakeholders. Because the stakeholders, during data collection, did not identify additional stakeholders or sources of information than those already included in our dataset (which means that saturation was achieved), the quality assessment of our framework indicated that it was valid and in line with current law and practice.

To assess the usability, and hence the face validity, for using the framework for development and assessment of products and services, we applied the framework for evaluation of the legal challenges in 3 cases entailing development of digital health services. The questions in the framework (Table 2) were used to systematically evaluate and frame the legal challenges for the development and implementation of the digital services, Give Me a Break, Sisom and DELTA (Multimedia Appendix 1).

Is the Product a Medical Device?

A medical device is a product with a medical purpose; as to prove, prevent, monitor, treat or mitigate a disease, and to prove, monitor, treat, mitigate, or compensate an injury or disabilities (Table 2). The 3 digital services Give Me a Break, Sisom, and DELTA, were developed to facilitate child peer support, communication between children and their care providers, and adolescent’s participation in schools related to their health, respectively. None of the services has medical functions such as handling, treating, or preventing disease or illness and should therefore, according to the definitions outlined in Table 2 , not be considered as medical devices.

Is the Product an eHealth Service?

An eHealth service mediates health information or service or interaction between health care and the individual (Table 2). The system owner and system administrator of each of the 3 services, as well as the support and maintenance from the operation manager who is responsible for all data, will be independent from health care providers and schools. In one case though, Sisom, the services by the health care providers will be mediated through the digital service and information about the users' personal data will be shared with the health care providers. This service should therefore be considered as an eHealth service. The other 2 services, Give Me a Break and DELTA, do not mediate any communication of personal data or sensitive interaction at all between health care providers and users and should therefore not be considered as tools or services that use ICT to improve the preventive work, diagnoses, health-care monitoring, or administration and hence therefore not be defined as eHealth services.

Is the Service Recommended/Supplied by the Health Care?

Two of the services, Sisom and DELTA, are recommended and supplied by the health care services who therefore have medical responsibility for the usage of the services and any potential consequences of usage. This responsibility is independent of whether the services are to be considered as eHealth services. The other service, Give Me a Break, is neither part of regular treatment nor used to improve health care according to the definition of an eHealth service. It is neither recommended nor supplied by the health care, and there is therefore no medical responsibility for the activities or the consequences of the interaction on the service that can be imposed on the health care providers.

Is There Any Risk of Care Damage?

According to the definition in Table 2 , care damage is a damage that could have been avoided if adequate measures were taken by health care. The 2 services recommended and supplied by the health care, Sisom and DELTA, are not associated with medical treatment but involve sharing of potentially sensitive personal information. Although the risk of care damage is limited to sharing of personal information, this entails privacy risks for which the health care is responsible. To prevent this, there is no follow-up or surveillance system in the services that automatically transfers personal information or use data to the health care. To protect the users, the services has well-ordered procedures for registration and login. All information transfers are performed by web encryption technology, and professionally trained personnel monitor all real-time activities and use logs. Moreover, in DELTA, abuse or misconduct can be reported by the users to be handled by the involved school personnel. Both systems thus have significant infrastructure for monitoring safety and security of the users without interfering with their integrity. For the other service, Give Me a Break, the health care will not have any medical responsibility, as it neither has a medical purpose nor is seen as health care or treatment. Consequently, although problems can arise, there can be no care damage per se.

Are Personal Data/Personal Information Handled?

Personal data are handled in all the 3 services and in some cases, such information is of sensitive nature as it relates to health and is coupled to the users identity through a personal code number, name, or photo. In Sisom, health care handles sensitive personal data coupled to health and the users' identity. In Give Me a break and DELTA, the personal data are however not of sensitive nature (not coupled to sensitive information about the users) but deal with their identities and therefore still must be handled with care. In all the 3 services, the users provide all data added into and shared in the system, and the users are the sole owners of the information that they share. In Give Me a Break, the personal and shared user profile is stored but can be deleted by the users themselves if they decide to no longer make it available to others on the service. The provider of each of the 3 services has complete responsibility for all personal data stored or shared. This includes responsibility to: inform about the purpose and use of the service; not publish or share sensitive personal data, if applicable, regularly monitor posts to discover offensive personal data; and promptly remove any offensive personal data.

Does the Service Lack User Agreement?

At registration and the first logon to all the 3 services, the users and their parents must approve an agreement in which the purpose of the service is outlined. The user agreement regulates privacy issues, terms of use, and responsibilities. Specifically, they state to what extent and how the services are a part of the user’s health care. For Give Me a Break, the user agreement also states that all use takes place on the users' own initiative and under own responsibility.

Discussion

The aim of this study was to develop a framework for legal challenges to support designers in development and assessment of digital health services. The LCDH Framework presented herein was created based on concepts and regulations identified through interviews with authority representatives, and a process of stakeholder review and iterative revision of the developed framework confirmed that it was in accordance with current regulation, legislation, and practice. Usability evaluation against real cases of digital health services revealed how the definitions in the framework feasibly guided identification of distinctive and appropriate regulation to be considered and legal challenges to relate to given the nature of each of the evaluated services.

The work of government regulation and legislation of digital health services have not so far kept pace with the digital development. Digital health services in various forms are under rapid development and are involving several stakeholders and actors. Game and app developers, for instance, with innovative ideas for digital health may experience obstacles in implementation of digital health services in the interface between health care and individuals [23]. One problem can in many cases be the indistinct legislation.

This slow and perhaps circumspect legislation under construction may cause difficulties to developers of digital health services to acquire knowledge about relevant regulation and how to relate to and act on the regulation. Implications of this can be: (1) inaccuracies due to misinterpretations and (2) omitted development of digital health services owing to complexity in understanding the regulations. It would be desirable in the future that this type of regulation and legislation would be prepared in cooperation between the authorities, the developers, and the health care experts [12]. However, until then, there is a need for a dynamic tool, a framework, guiding designers and developers through the legal challenges in development work in the digital health domain, together with an understanding of the definitions of the concepts [13]. This is important both to simplify and speed up development of digital health solutions [14] and to promote involvement of developers experienced in digital service design [15]. There is a need for approaching and proceeding with legal challenges adjacent health care in the design development to facilitate the forthcoming implementation.

The LCDH Framework presented in this article has the qualifications to be a useful tool in guiding designers and developers through the legal challenges in development work in the digital health domain. The framework: (1) considers the current regulation and legislation that apply in the EU; (2) presents the definitions of relevant legal concepts; (3) is verified by the Swedish Data Inspection Authority and eHealth Authority; and finally, (4) is easy to use. The framework merely aims to guide development by identifying legal dividing lines between different digital health services in their product design. It has no legal power to determine guidelines, and a jurisconsult may need to confirm the legal application in case of uncertainties. Although the concepts used in the framework are based on legislation in the EU, it can be used in other contexts to understand the legal challenges and the hierarchy of the various concepts governing legislation within the digital health domain.

Strengths and Limitations

As with all methods and studies used in research, certain limitations apply. The interviews were performed with 1 person from each organization or authority over the phone. Performing the interviews over phone was convenient and time-saving, and if the informants had text material to share, it was sent by email. Important information sources and stakeholders can be identified by using snowball recruitment [21]; however, there is a risk that important informants are missed by this approach. In our study, it is likely that we through this approach identified relevant informants as both the Swedish Data Inspection Authority and the eHealth Authority verified our report. The mapping was performed during the spring and summer of 2014 in accordance with the regulations prevailing in Sweden. The definition of eHealth is however taken from the European Commission’s declaration of eHealth [3].

Conclusions

Consideration toward ethical aspects is a requirement for both performing and publishing research in relation to health and human subjects. However, as long as such ethical aspects are taken into account, no requirements are placed on that, and research should also be aligned with legal challenges that are relevant to the context of the research.

Structured discussion about legal challenges in relation to health-promoting digital services can be enabled by a constructive framework to investigate, assess, and verify the digital service according to current legislation. The LCDH Framework developed in this study proposes such a framework and can be used in prospective evaluation of the relationship of a potential health-promoting digital service to the existing laws and regulations. However, legislation regarding eHealth in general and health-promoting digital services in particular is under construction, and authorities’ judgments are made from case to case. Further research is critical to expanding the knowledge base of cases, or products, using health-promoting digital service implemented and where current legislation is applied.

Acknowledgments

The authors want to thank Gunnar Severinson for valuable guidance during project initiation and data analysis and Pontus Wärnestål for advice in the initial stages of data collection. The study was supported by grants from the Swedish Research Council, the Knowledge foundation, and the Regional Swedish Innovation Office West.

Abbreviations

eHealth
Electronic health
EU
European Union
ICT
information and communications technology
LCDH Framework
Legal Challenges in Digital Health Framework
mHealth
mobile health

Multimedia Appendix 1

Usability validation of The Legal Challenges in Digital Health (LCDH) Framework for exploring the relationship to valid regulations of 3 health-promoting digital services.

Footnotes

Conflicts of Interest: None declared.

References

1. Topol Eric. The Creative Destruction of Medicine: How the Digital Revolution Will Create Better Health Care. New York: Basic Books; 2012.
2. Eysenbach G. What is e-health? J Med Internet Res. 2001;3(2):E20. doi: 10.2196/jmir.3.2.e20. http://www.jmir.org/2001/2/e20/ [PMC free article] [PubMed] [Cross Ref]
3. European Commission E-health. [2016-04-27]. Public health http://ec.europa.eu/health/ehealth/policy/index_en.htm webcite.
4. European Commission High tech for health. 2012. Jun 06, [2016-04-27]. https://ec.europa.eu/digital-single-market/en/news/high-tech-health webcite.
5. World Health Organization . mHealth: New Horizons for Health through Mobile Technologies: Second Global Survey on eHealth (Global Observatory for Ehealth) Geneva, Switzerland: World Health Organization; 2011.
6. Schulke DF. The regulatory arms race: Mobile health applications and agency posturing. Boston university law review. 2013;(93):1699–1752.
7. Kramer GM, Kinn JT, Mishkind MC. Legal, Regulatory, and Risk Management Issues in the Use of Technology to Deliver Mental Health Care. Cognitive and Behavioral Practice. 2015 Aug;22(3):258–268. doi: 10.1016/j.cbpra.2014.04.008. [Cross Ref]
8. Ferguson B. Editorial: The Emergence of Games for Health. Games for Health Journal. 2012;1(1):1–2. doi: 10.1089/g4h.2012.1010. [PubMed] [Cross Ref]
9. Fellay S. American Enterprise Institute. 2014. [2016-04-28]. Changing the rules of health care: Mobile health and challenges for regulation http://www.aei.org/publication/changing-the-rules-of-health-care-mobile-health-and-challenges-for-regulation/ webcite.
10. Andoulsi I, Wilson P. Understanding liability in eHealth: Towards greater clarity at European Union level. In: George C, Whitehouse D, Duquenoy P, editors. eHealth: Legal, ethical and governance challenges. Heidelberg Berlin: Springer; 2013. pp. 165–180.
11. Vedder A, Cuijpers C, Vantsiouri P, Zuleta Ferrari M. The law as a ‘catalyst and facilitator’ for trust in e-health: challenges and opportunities. Law, Innovation and Technology. 2014;6(2):305–325. doi: 10.5235/17579961.6.2.305. [Cross Ref]
12. Kolitsi Z, Thonnet M. New directions in eHealth governance in Europe. In: Rosenmöller M, Whitehouse D, Wilson P, editors. Managing eHealth: From vision to reality. Basingstoke, Hampshire, UK: Palgrave Macmillan; 2014. pp. 50–60.
13. Stroetmann KA. Scoping global good eHealth platforms: implications for sub-Saharan Africa. IST-Africa 2014 Conference; May 06-09, 2014; Mauritius. 2014. [Cross Ref]
14. Nilsson C. IT i vården. 2013. Dec 16, [2016-04-27]. Gamification förnyar vården http://itivarden.idg.se/2.2898/1.539129/gamification-fornyar-varden webcite.
15. Brown-Johnson CG, Berrean B, Cataldo JK. Development and usability evaluation of the mHealth tool for lung cancer (mHealth TLC): A virtual world health game for lung cancer patients. Patient Education and Counceling. 2015;98(4):506–511. doi: 10.1016/j.pec.2014.12.006. [PMC free article] [PubMed] [Cross Ref]
16. Varvasovszky Z, Brugha R. How to do (or not to do)… A stakeholder analysis. Health Policy and Planning. 2000 Sep;15(3):338–345. http://heapol.oxfordjournals.org/cgi/pmidlookup?view=long&pmid=11012410. [PubMed]
17. Lindberg S, Wärnestål P, Nygren J, Svedberg P. Designing digital peer support for children: design patterns for social interaction. IDC'14 Proceedings of the 2014 conference on Interaction design and children; June 17-20, 2014; Aarhus, Denmark. New York: ACM; 2014. pp. 47–56. [Cross Ref]
18. Wärnestål P, Nygren J. Building an experience framework for a digital peer support service for children surviving from cancer. IDC '13 Proceedings of the 12th International Conference on Interaction Design and Children; June 24-27; New York, NY, USA. 2013. [Cross Ref]
19. Wärnestål P, Svedberg P, Nygren J. Co-constructing child personas for health-promoting services with vulnerable children. The ACM CHI Conference on Human Factors in Computing Systems; April 26- May 01; Toronto, ON, Canada. 2014. [Cross Ref]
20. Silverman D. Doing Qualitative Research. London, UK: Sage Publications; 2013.
21. Waters J. Snowball sampling: a cautionary tale involving a study of older drug users. International Journal of Social Research Methodology. 2014;18(4):367–380. doi: 10.1080/13645579.2014.953316. [Cross Ref]
22. Kolko J. Exposing the magic of design. Oxford, USA: Oxford University Press; 2011.
23. Lindström K. Computer Sweden. 2013. Aug 23, [2016-04-27]. Spel vill få en plats i vården http://computersweden.idg.se/2.2683/1.519064/spel-vill-fa-en-plats-i-varden?queryText=Spel webcite.

Articles from JMIR Medical Informatics are provided here courtesy of JMIR Publications Inc.