Digital Healthcare 2022 Comparisons

Digital healthcare is an umbrella term that stands for the use of information and communication technologies (ICT) – and, in particular, internet technology – to support or improve healthcare in the broadest sense, including e-health platforms, electronic patient files, electronic drug prescriptions, teleconsultations, and medical, fitness and well-being applications (apps).

Digital medicine and digital therapeutics (DTx) are subsets of digital healthcare and hence conceptually fall within its broad scope. The difference between both concepts, however, might be hard to distinguish. Digital medicine refers to the deployment of technologies as tools for diagnosis and intervention to improve human health (eg, clinical decision support software) whereas DTx refers to evidence-based therapeutic interventions driven by software to prevent, manage or treat a medical disorder or disease and to spur changes in patient behaviour (eg, wearables and other wireless devices). They include patient-facing software apps that therapeutically support patients, bear the CE marking (see 6. Software as a Medical Device) and have a proven clinical benefit. Typically, DTx is classified as a subcategory of digital medicine.

Regulatory oversight, including the need for clinical evidence, will be critical in the context of digital medicine and DTx products and services due to their deployment for interventional, diagnostic and therapeutic purposes. In addition, these products will often meet the definition of a medical device, hence requiring compliance with applicable medical device legislation.

Both from a healthcare provider and patient/consumer perspective, it can be assumed that digital healthcare technologies, in general, will be – and already are – more rapidly and widely embedded into society due to their supportive and facilitative character. It is very likely, however, that some of these products will be received more sceptically by patients due to their more "invasive" nature (eg, insideables).

Neither “digital health” nor “digital medicine” or “DTx” is currently defined in the Belgian regulatory framework.

As the main technologies in digital healthcare are likely to be focused on the collection, processing, transmission and presentation of data, technologies such as cloud computing, communication technologies, wireless networks (such as 5G – see 9.1 The Impact of 5G Networks on Digital Healthcare) and big data will remain essential. Nevertheless, the importance of other technologies such as robotics, virtual reality and the internet of medical things (IoMT) cannot be underestimated.

Technologies (that can be) deployed in the context of digital medicine and DTx are equally numerous and include:

• personal genomics (which is expected to play an important role in personalised and predictive medicine);
• artificial intelligence (AI) (which may contribute to more accurate diagnosis);
• robot-assisted surgery; and
• wearables and sensors (which can be used for continuous and remote monitoring of vital functions of patients).

Novel health technologies (eg, AI, the IoMT, 5G networks and Bluetooth) are challenging the boundaries of the Belgian regulatory framework, which is often ill adapted to address the legal concerns such technologies entail. Existing laws and regulations scarcely accommodate for the questions raised as a result of a continuously developing digital healthcare industry, including with regard to:

• data protection and privacy (eg, illegitimate processing of personal data);
• cybersecurity (eg, ransomware);
• intellectual property protection (eg, can AI be an inventor?);
• liability (eg, can AI be liable?);
• reimbursement (eg, telehealth); and
• compliance (eg, CE markings).

The digitalisation of healthcare also involves a number of actors entering the industry that are unfamiliar with the highly regulated framework in which health products are embedded, which requires additional compliance investments. As a final point, the emergence of AI-driven healthcare technologies might involve ethical considerations regarding privacy, bias and discrimination in healthcare.

The COVID-19 crisis has brought the digitalisation of public health to the forefront, increasing the pace of the application of digital healthcare products (eg, the increased use of medical, fitness and well-being apps). Radical social distancing measures and the need to reduce pressure on hospital units resulted in clusters of emergency telehealth measures being adopted. Many patients accessed their online personal health viewer for the first time to consult their COVID-19 test results. The Belgian Data Protection Authority relentlessly advised on temperature checks, contact tracing and the (lack of) employer prerogatives at the workplace.

While the success of some of these initiatives, such as the contact-tracing app, may have been modest, the shifted attitudes of patients, healthcare providers and regulators towards digital healthcare technologies are likely here to stay.

The Federal Agency for Medicines and Health Products (FAMHP) oversees the quality, safety and efficacy of medicines and health products, both during the clinical development process and with regard to the authorisation and marketing of drug and health products. In addition, the National Institute for Health and Disability Insurance (NIHDI) establishes reimbursement schemes for healthcare services, medicines and health products.

Healthcare professionals have certain reporting obligations to the Federal Public Service for Health, the organs of which supervise the services and practice of those healthcare professionals.

Lastly, professional associations such as the Order of Physicians and the Order of Pharmacists impose deontological obligations on healthcare professions, while self-regulatory industry organisations such as pharma.be and beMedTech lay down ethical rules for pharmaceutical and medical device companies.

After a long transition period, Regulation (EU) 2017/745 (the Medical Device Regulation, or MDR) is applicable as of 26 May 2021 and Regulation (EU) 2017/746 (the In Vitro Diagnostic Medical Device Regulation, or IVDR) applies as of 26 May 2022. Furthermore, the NIHDI has also recently launched a scheme for the reimbursement of mobile health apps (as further discussed under 4.4 Regulatory Developments).

Additionally, electronic prescribing has been mandatory as of the beginning of 2020. The Healthcare Quality of Practice Act of 22 September 2019 safeguarding privacy, safety and quality of healthcare has (partially) come into force.

Finally, several legislative proposals in light of the European data strategy (which will undoubtedly have a considerable impact on the digital healthcare industry) have also been adopted in recent months, as further discussed under 3.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies.

Enforcement concerning digital healthcare has been limited in Belgium up until this point; however, regulatory authorities have increasingly been on guard since the beginning of the COVID-19 crisis. The main areas of enforcement concern data protection infringements, violations of the rules governing the marketing and sale of medical devices and competition considerations.

One can conclude that the digital healthcare landscape has been left relatively unscathed. However, the medtech industry will likely become an enforcement priority in the next few years due to the application of the MDR and the IVDR.

The increasing digitalisation of the healthcare industry is causing healthcare professionals and businesses to be impacted incrementally by legislators regulating digital markets. For instance, the European Union recently launched several legislative initiatives governing digital markets, goods and services (including the proposed regulations for the Data Act, the Data Governance Act, the Digital Services Act and the Digital Markets Act) and a proposal to regulate AI (see 11.2 AI and Machine Learning Data Under Privacy Regulations).

In addition, recent decisions of the European Commission (eg, with regard to the acquisition of Fitbit by Google) and the 2022 enforcement priorities of the Belgian Competition Authority demonstrate that the digital health space is being closely monitored by market and competition authorities. Moreover, the healthcare industry is continuously looking for guidance from, and engaging with, data protection authorities such as the Belgian Data Protection Authority and the European Data Protection Board to manage the challenges that accompany the introduction of novel technologies in the sector. Several regulatory agencies also take on a different role with regard to new health products. Where the Federal Public Service of Economy was traditionally predominantly involved in the setting of prices of medicines and implantable medical devices, it will now have to take on more responsibility with regard to the advertising of (online) healthcare products and services.

The interests of such non-healthcare agencies are from time to time at odds with those pursued by regulatory healthcare agencies. For example, since the validity of certain data transfer mechanisms has been called into question this past year, privacy experts generally recommend that personal data be kept as much as possible within the European Economic Area or any other country that has been recognised by the European Commission as offering sufficient safeguards for data protection. This suggestion does not only collide with the reality of global pharmaceutical or medical device companies, where much of the research and development (R&D) takes place in countries not offering adequate protection of personal data, but also conflicts with the requirements of regulatory agencies governing the authorisation and marketing of health products, which generally demand worldwide clinical and safety data.

The interplay between the responsibilities of non-healthcare and healthcare agencies is now more frequently uncovered and many regulatory agencies have made commitments to collaborate more closely with one another. It will now be important to ensure that these pledges are being put into practice and a harmonised regulatory framework is being established.

Preventative healthcare (also referred to as “primary prevention”) refers to a category of healthcare in which the main objective is to avoid a disease occurring by detecting health problems before any symptoms develop (eg, vaccination).

Diagnostic healthcare (also referred to as “secondary prevention”) involves treating or diagnosing a disease as early as possible by monitoring existing problems, checking new symptoms, and following up on test results to initiate treatment without delay, and, as a result, reducing its mortality or severity (eg, radiology, ultrasound, cancer screening programmes and laboratory testing).

Preventative healthcare and diagnostic healthcare must be distinguished from curative care, which is only initiated when a disease has manifested itself with the onset of symptoms.

The rapid convergence between digital technologies and healthcare has changed how preventative healthcare is delivered at the population level, shifting the focus from curative care to preventative care. New tools such as clinical decision support software, wearables, insideables, and fitness and well-being apps significantly contribute to actively monitoring a patient’s health status and preventing or diagnosing diseases.

It is therefore not surprising that the future of healthcare is expected to be preventative, which is substantially cheaper (ie, diseases are prevented or diagnosed before they become major and expensive treatments are avoided) and is considered fundamental in the context of the future sustainability of the Belgian healthcare system.

Fitness and well-being apps that cannot be classified as a medical device (see 6. Software as a Medical Device) are not (yet) regulated by the legislator. However, this does not necessarily imply that the data collected and processed through such apps is not regulated either. On the contrary, in the event that this data concerns information that is related to an identified or identifiable natural person within the meaning of the General Data Protection Regulation (GDPR), such processing must comply with the provisions of said regulation (see 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information).

The use of mobile health apps in the healthcare process is becoming more common and plays a substantial role in the context of increased preventative healthcare (see 4.2 Increased Preventative Healthcare). However, as opposed to other European member states, their reimbursement has long been a sore point in Belgium. The Belgian federal government has therefore established a system making reimbursement of these apps possible. “mHealthBelgium” is a platform that involves several stakeholders – including beMedTech, Agoria, the FAMHP, the eHealth-platform and the NIHDI – and centralises all relevant and necessary information regarding these apps for patients. It provides a validation pyramid consisting of three levels: M1, M2 and M3 (including M- and M+).

The first level, M1, requires that the CE mark is submitted and that the FAMHP is notified, which will then verify the app’s conformity with the applicable medical device legislation. In addition to the requirements of the first level, apps entering the second level, M2, must meet all ICT requirements as imposed by the eHealth-platform in the context of cybersecurity and data protection and privacy. The third level, M3, regulates the funding and reimbursement of the app. In this regard, an app entering M3- is temporarily funded while still collecting data regarding its socio-economic value. If the app’s socio-economic value is adequately proven, the app is eligible to enter M3+, which means that the NIHDI will officially reimburse the app. Recently, and for the first time in Belgian history, the rehabilitation and recover app “moveUP” has entered level M3-, and hence is currently funded by the NIHDI while collecting the necessary data regarding its socio-economic value.

Furthermore, in order to promote sports and a healthy lifestyle, Belgian health insurance funds partly reimburse gym subscriptions or other sports association memberships. In addition, the NIHDI is strengthening the provision of psychological care for the Belgian population by largely reimbursing the costs involved. In this way, psychological care is becoming more accessible and the threshold lower.

The challenges non-healthcare companies might face – or that non-healthcare companies should at least consider – when entering the healthcare industry are extensive. Notably, this industry is highly regulated and complicated. Non-healthcare companies will therefore need to adjust their market strategies in accordance with the applicable regulatory frameworks that govern health products and services (eg, in the context of the promotion of medical devices). Moreover, these companies will also have to invest largely in compliance, which will very likely include compliance with data protection laws and regulations, intellectual property laws and regulations, and medical device legislation.

Finally, yet importantly, non-healthcare companies will need to take into account that they will have to accommodate not only the interests of the end users but also those of other stakeholders within the healthcare industry such as doctors, hospitals, health insurance providers and the NIHDI.

The limited number of healthcare staff and the lack of resources in Belgium necessitate the use of advanced technologies to support the healthcare system – which has become even more apparent due to the COVID-19 outbreak. Considered a convenient and efficient way to store and manage the massive amounts of data collected and processed, cloud computing services integrated with the IoMT (ie, the collection of digital healthcare products that connect to IT systems through online computer networks) might offer a solution. These technologies provide sufficient potential that can be used for monitoring, diagnosis, support and intelligent decision-making at a rapid pace (eg, through wearable devices).

Cloud computing services in combination with the IoMT provide an array of benefits (and challenges) for healthcare providers and patients, enhancing patient experience (by providing real-time access to medical information) and improving collaboration between healthcare providers (by sharing data). This consumer-centric approach significantly facilitates patient monitoring and enables healthcare providers to serve patients anywhere they desire to receive their care.

As discussed in detail hereunder (see 15. Liability), in Belgium, the traditional regimes consist of contractual and extra-contractual liability. On top of that, Belgium’s medical liability system is twofold, including the medical liability of a physician or a hospital as well as a fund to compensate for severe damage as a consequence of, for instance, medical accidents without liability. In this context, manufacturers, suppliers or sellers of health devices such as wearables, implantables and digestibles might be liable under the product liability framework if the end user (eg, a patient) has suffered damage due to the malfunctioning of such products.

The healthcare industry is particularly sensitive to data breaches and incidents (eg, the leaking of personal data) and cybersecurity attacks (eg, hacking). As a result, stakeholders should always carefully assess the possible implications and risks when making use of the IoMT, whether it be in a cloud computing environment or an on-premises and local computing platform. In the event that a digital healthcare company decides to collaborate with a cloud service provider, this service provider will likely process the data on behalf of the digital healthcare company. Within the context of the GDPR, the company might then be considered a controller (ie, which decides on the purposes and the means of the processing of personal data) and the service provider a processor, which, in turn, might outsource several processing activities to its sub-processors.

It is therefore of profound importance to contractually cover any risks relating to data protection and cybersecurity and to allocate the roles and responsibilities clearly and adequately in a data processing agreement. This agreement must include extensive audit rights for the benefit of the digital healthcare company as well as a liability clause that sufficiently protects the digital healthcare company in the event of any claims of patients or a data protection authority as a result of infringements by the cloud service provider. Lastly, the cloud service provider must ensure appropriate organisational and technical measures to secure any personal data and confidential documents stored.

To respond to the growing threats posed by the digitalisation of healthcare and the surge in cyber-attacks, the European Commission intends to replace the current Network and Information Security (NIS) Directive to strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the European Union. Since many hospitals and other healthcare providers in Belgium did not fall under the scope of application of the first NIS Directive, the NIS2 Directive might be particularly important for the Belgian healthcare industry as it extends the scope of entities to which the NIS requirements apply.

Under the MDR, software is classified as a medical device in its own right (MDSW) if it is intended to be used for a medical purpose as set out in Section 2(1) of the MDR (eg, diagnosis, prevention, monitoring, treatment or alleviation of a disease, injury or disability, or control or support of conception). The medical device framework shall also apply if software is intended to drive or control the use of a medical device or can be considered as an accessory of a medical device. The classification of software as an MDSW has important consequences, as the medical device framework is complex and burdensome, especially for manufacturers that are just entering the digital healthcare market. Software companies may therefore be incentivised to indicate that their product is not intended for medical purposes and should instead be considered a fitness or wellness product, in order to avoid having to comply with this framework.

The MDR introduces a new risk-categorisation system for medical devices that entails that many MDSWs may now fall under Class IIA and higher. This may, for example, be the case when software is used to make therapeutic or diagnostic decisions (eg, clinical decision support software). If an MDSW cannot be classified under Class I, self-assessment will no longer suffice to receive the CE marking and, thus, market access for an MDSW may become increasingly time-consuming. Moreover, the new draft regulation on AI (the “Artificial Intelligence Act” – see also 11. AI and Machine Learning) recognises that certain AI systems may be high risk and proposes that the requirements for any such AI system should be checked in the conformity assessment of the medical device.

The more rigorous requirements of the quality management system under the MDR compared to its predecessor and a focus on post-market surveillance in the MDR and the Artificial Intelligence Act are the first steps managing software that is improved or modified throughout its lifetime; however, a comprehensive framework on machine/deep learning medical devices is still absent and the current landscape still revolves around "static" rather than "dynamic" medical devices.

Telehealth holds the promise of increasing the accessibility, efficiency and affordability of healthcare while offering the patient a more personalised and highly specialised approach. Through telehealth services, the patient’s right to choose their physician is no longer determined by location but by best fit. In addition, telemonitoring services through wearables and other remote patient monitoring devices and technologies foster early discovery and intervention and provide physicians with a dynamic overview of a patient’s health status as opposed to a snapshot at the time a patient comes in for consultation.

Tele-expertise is no longer limited to a select group of key opinion leaders consulting on rare diseases but is also readily used by general practitioners seeking advice from specialists. Where hospitals and physicians go digital, the online (retail) pharmacy follows, providing pharmaceutical advice and products more rapidly and cost effectively. However, telehealth services also give rise to several risks and challenges, more notably regarding the credibility and certification of online healthcare providers; the confidentiality, privacy and security of patient data; the reimbursement of cross-border services; and medical liability.

So far, Belgium does not have an integral telehealth framework. While telemonitoring and tele-expertise between physicians has been common practice for quite some time, the National Council of the Order of Physicians has long been opposed to diagnosing patients at a distance, asserting that considerable risks were involved and that, therefore, physicians could only diagnose patients without a physical consultation in exceptional cases. However, Directive 2011/24/EU on patients’ rights in cross-border healthcare establishes the “country of origin” principle, meaning that healthcare professionals established in a member state of the European Union can provide healthcare services to patients located in other member states under the same terms and conditions as they are able to provide in their member state of establishment. In other words, Belgium cannot impose its regulatory framework on a healthcare provider that is established in another EU member state and is providing healthcare services to a recipient in Belgium. In addition, Directive 2011/24/EU obliges the NIHDI to reimburse certain cross-border healthcare services. This has led to the contradictory situation where a patient could not receive reimbursed telehealth services from a physician located in Belgium, but that patient could receive (reimbursement for) those healthcare services if they were provided by a physician located in another EU member state.

The beginning of the COVID-19 crisis signified the end of an era in which healthcare was centred around in-person consultations and brought the telehealth framework on stream. The emergency measures taken by the legislator provided that telehealth services were allowed and were reimbursable by the NIHDI, if provided:

• after having obtained a patient’s informed consent;
• via a means of communication with end-to-end encryption;
• to the extent that the patient is able to attend the consultation at distance, both physically and mentally;
• under the condition that the continuity of care is safeguarded; and
• provided that the quality of care is guaranteed.

However temporary these measures were, it is already apparent that the sudden widespread use of health services at a distance has induced a shift in mindsets, not only of physicians and patients, but also at the regulatory level. To this extent, recent telehealth initiatives have been given the approval of the NIHDI and the National Council of the Order of Physicians.

Slowly, but surely, a liberalisation on the sale of medicines and medical devices is also emerging. As of 2019, patients and healthcare professionals can purchase their medical devices (carrying a CE mark) directly (online) from any distributor or manufacturer instead of in a pharmacy.

Telehealth services have only been introduced in the nomenclature of the NIHDI in the past few years and, even now, a comprehensive reimbursement scheme is lacking. Certain mobile health applications that (i) are classified as a medical device, (ii) are CE marked, connected or interoperable with the Belgian eHealth-platform, and (iii) have demonstrated sufficient socio-economic added value are eligible for reimbursement. In April 2022, for the first time in Belgian history, the NIHDI decided that a recovery and rehabilitation app (a DTx product) could receive preliminary funding while a rolling review on the socio-economic value of the app was ongoing (see 4.4 Regulatory Developments).

As previously discussed, telehealth services provided within the limits of the COVID-19 emergency measures can also be reimbursed, as well as certain cross-border healthcare services in light of Directive 2011/24/EU. The NIHDI is also testing a number of pilot projects concerning telemedicine and has expressed its commitment to develop a consolidated framework in the near future.

Consumer and connected devices and the IoMT are welcome allies in the fight against a rise in welfare and chronic diseases, the challenges arising from an ageing population and a healthcare budget that is increasingly under pressure from innovative but high-cost therapies. Through wearables, physicians can monitor patients consistently and effectively at home, leaving hospital beds available for patients who need to be admitted for intervention. The older generation is able to live at home for a longer period via the help of digital assistants and medical-alert systems, which reduces the burden on residential care centres and care staff. Lastly, individuals are empowered to take their health into their own hands and, consequently, the overuse of healthcare services is prevented.

Nonetheless, the devices and applications related to the IoMT are not without their controversies. To begin with, mobile health applications and consumer devices are often presented as a wellness or fitness device and manufacturers avoid labelling their products as “intended for medical purposes” in order to evade the stringent regulatory requirements applicable to medical devices (for more information on classification as a medical device, see 6. Software as a Medical Device). Accordingly, medical advice may be disguised as lifestyle recommendations given by unqualified professionals, contrary to the rules on lawful practice of medicine and the regulatory oversight by the FAMHP on medical devices.

Virtual hospitals and telemonitoring also result in changing roles and responsibilities for healthcare professionals, who should therefore not only be trained in their respective areas of expertise, but also in cybersecurity, IT and data protection.

Furthermore, since the patient data collected by IoMT devices and applications is often transmitted to the manufacturer prior to being provided to the healthcare provider, the medtech industry collaborates with healthcare professionals more closely and comes into contact with patients and patient organisations more often and more closely, which results in concerns regarding the advertising and promotion of health products. Cybersecurity and privacy risks are also prominently present in this field of digital healthcare, as devices, technologies and applications are interconnected and may process personal data collected in this setting outside the strict realms of healthcare provision. Finally, a key problem remains the inequality of access to these devices and technologies, as the reimbursement schemes for digital healthcare applications remain fragmented (see also 7.3 Payment and Reimbursement).

The low latency, increased speed and bandwidth of 5G networks allows cellular wireless networks to compete fully with wired networks in the provision of digital healthcare. This, in turn, could allow for the provision of telehealth services from, and to, practically everywhere, even in the absence of wired networks. The possibilities for remote healthcare that 5G brings to the table are crucial for medical treatment in disaster areas, as wired infrastructure might be impacted or destroyed as a result of a disaster, or these areas might be hard to reach. The same applies for first responders, who, through 5G technology, will be able to provide remote first aid or benefit from the qualities and experience of specialists and colleagues without a need for their physical presence.

Moreover, the aforementioned qualities of 5G networks coupled with its increased connection density will allow for a more complete and effective integration of technologies such as the IoMT in digital healthcare. For example, one might think of the use of sensors and wearables, allowing the monitoring of vital functions not only during a telehealth consultation but consistently over a longer period, providing healthcare practitioners with useful insights on the overall health, stability or pathology of a patient. The use of IoMT technologies (enabled by 5G networks) will allow this data to be transmitted automatically to healthcare practitioners and allows the various wearables or sensors to communicate and interact with each other.

Overall, it can be expected that 5G will enable the provision of remote healthcare services in a more effective, reliable and comprehensive manner, with the possibility of remote operations due to low latency of 5G networks as a pinnacle.

Nonetheless, the highly sensitive and private nature of data created, processed and transferred in the context of digital healthcare is diametrically opposed to the public character of (5G) wireless communication networks. Hence, when entering into arrangements with telecoms providers that deploy and manage a 5G network, sufficient attention to provisions regarding responsibility for network security and data protection and privacy will be paramount. Furthermore, when relying on (wireless) technologies for the provision of critical services such as healthcare services, contractual provisions regarding the assurance of connection stability and liability for failure or interruption of services will also be crucial.

Patients have the right to privacy and a carefully kept and stored patient record in relation to their healthcare professional (Articles 9 and 10 of the Act of 22 August 2002 on Patients’ Rights and Articles 33–40 of the Health Care Quality of Practice Act of 22 September 2019). However, the time when medical confidentiality by healthcare professionals was sufficient to safeguard patients’ health information is long gone. Patient information is currently stored in an electronic health record on the eHealth-platform and can, to the extent relevant for treatment, be accessed by a patient’s healthcare provider after having obtained that patient’s consent. In addition, in a digitalised healthcare industry, several other participants will need to process a patient’s personal data. Personal information regarding health and genetic and biometric data are considered sensitive personal data under Article 9 of the GDPR. Processing of such personal data is principally prohibited, unless a justification applies. Personal data relating to health can therefore only be processed in exceptional cases.

Implications of Schrems II

Data protection in the healthcare industry is further complicated by recent developments. The landmark Schrems II case of the European Court of Justice quashed the EU–US Privacy Shield and questioned the validity of data transfers under the (old) European Commission’s standard contractual clauses (SCCs) to third countries with inadequate data protection and privacy laws. In response, the European Commission issued modernised SCCs on 4 June 2021. Nevertheless, the question as to whether these transfer mechanisms are sufficient to overcome inadequate data protection and privacy laws in third countries remains unchanged. This is a significant hurdle as (med)tech companies are often global enterprises and innovative health solutions require collaborations across borders. If (health) data can no longer be transferred to tech-savvy countries such as China and the US (regardless of the safeguards taken by contracting parties), this may drastically impair digital healthcare progress.

Data Processing in Partnerships and Secondary Use

Other uncertainties relate to the data processing roles and responsibilities in multi-stakeholder innovative partnerships such as consortium agreements, but even in multi-study-site clinical research projects, it remains dubious which processing role each party takes on. This leads to ambiguity for data subjects and can cause considerable delays in negotiations in partnership agreements.

Another point of interest is the possibility to use existing research data for secondary use. The GDPR and the European Commission guidelines provide some flexibility to ask for consent for a broader field of research instead of for one research project; however, it remains to be seen how any such margin should be interpreted in practice (see Recital 33 of the GDPR).

European Health Data Space

In closing, the European Commission is currently working on an ambitious project that would constitute a European Health Data Space, holding qualitative health data and facilitating the sharing of data for research, innovation and improvement of public health without losing sight of data protection and privacy. If this initiative were to succeed and were to gain the trust of patients and healthcare providers, the path forward for machine learning, AI, research and innovation may look quite promising.

In the current healthcare ecosystem, it may be more appropriate to make use of the term “augmented intelligence” rather than “artificial intelligence”; that is to say, human capabilities can only be augmented but not replaced by intelligent devices. AI systems work well in verifying outcomes, correcting human errors and processing large amounts of information efficiently, but are presently not intended to function without human instruction, oversight and intervention in an industry as sensitive as the healthcare industry.

For machine/deep learning and AI to work to the best of their abilities, large amounts of highly qualitative training data sets are needed. This requirement seems often to be at odds with a few of the basic principles of the GDPR, such as purpose – and use – limitation and data minimisation. It may therefore be challenging to secure sufficiently comprehensive rights on data in order to be able to use and share such data with relevant partners. Transparency and patient empowerment are useful tools that may help this purpose; ie, if extensive information about the processing of personal data is given by the healthcare provider to the patient, a patient is more willing to give its free informed consent (although the adequacy of consent as a legal basis must not be overestimated).

Lastly, due to the emergence of virtual assistants (such as Alexa), natural language processing (NLP) (ie, the ability of a computer program to understand human language as it is spoken and written) is slowly but steadily becoming integrated into the healthcare industry. However, NLP has led in the past to significant concerns from a data protection and privacy perspective due to the difficulty to confirm and verify the results of the data processed by AI systems, which are often characterised by bias. As a result, AI is usually difficult to deploy in a transparent manner and thus it is paramount to always carefully assess its intended use (eg, data processing impact assessment) in order to apply appropriate additional measures.

In April 2021, the European Commission unveiled its AI package proposing new rules and actions to turn Europe into the global hub for trustworthy AI, including a proposal for a European regulatory framework on AI, the so-called Artificial Intelligence Act. Although the Artificial Intelligence Act aims at protecting fundamental rights when AI is deployed, it does not cover any risks relating to black box AI nor are there any guidelines in place that apply to this concern.

Due to the lack of transparency, black box AI poses a significant challenge in the context of the processing of personal data. Namely, data subjects (eg, patients) have the right not to be subject to a decision based solely on automatic processing (Article 22, GDPR). A data subject may therefore request that a decision made about them by automated means shall be reviewed by a natural person (eg, a doctor). It may be difficult for the natural person to assess whether the decision made by an AI system was correct if that person is not aware of how the AI system decided on a certain outcome.

Companies that are entering the digital healthcare market by developing and selling new digital healthcare technologies should be aware of the challenges that the convergence of two industries entails. Traditional healthcare or pharmaceutical companies may be confronted with pertinent challenges relating to cybersecurity and data protection when entering digital markets (eg, ransomware, phishing and denial-of-service attacks). On the other hand, companies that are ordinarily involved in the offering of digital services and products to customers may be surprised to learn about the highly regulated context of the healthcare industry and the additional compliance requirements associated with entering that market.

Healthcare institutions or other customers of such new technologies have every interest in appropriately allocating the roles and responsibilities when negotiating agreements (eg, master services agreements, software as a service (SaaS) agreements and data processing agreements) and in adequately addressing any inherent risks.

In order for digital healthcare to be fully embraced by healthcare organisations and healthcare professionals, considerable changes to the infrastructure and organisation of hospitals and practitioners will be required. For instance, several cyber-attacks on Belgian hospitals and testing centres during the COVID-19 crisis have proven that healthcare institutions are a frequent target for cybercriminals and are often ill prepared for such a challenge.

At the level of the individual practitioner, several barriers prevent the adoption of healthcare technologies. A recent study by the Belgian Health Care Knowledge Centre concluded that general practitioners struggle with security concerns and an overload of information on e-health platforms. They also have to invest substantial amounts of their own time in getting to know new IT systems and they are reluctant to depend on external services for the operability and functioning of their general practice. The eHealth Action Plan 2019–2021 recognises these barriers and sets forth the intention to put more resources towards operational excellence and providing incentives for healthcare professionals.

Besides investment in better infrastructure, due care should be given to a radically different manner of educating healthcare providers. In order for AI, mobile health technologies and wearables to find their way to individual practitioners, these caregivers should be incentivised and educated thoroughly and continuously. The Health Care Quality of Practice Act of 22 September 2019 imposes an obligation of continuous learning on healthcare professionals; however, multiple implementing acts are still required and qualitative digital healthcare learning opportunities need to be offered to practitioners.

As a final point, while improving the infrastructure at the level of healthcare organisations and professionals is critical for advancing digital healthcare, careful consideration should also be given to equal access and non-discrimination of patients. The uptake of the IoMT and general connectivity of patients must therefore also be reviewed on a population level.

Data management is of the utmost importance for companies active in the healthcare industry. For instance, adequately managing clinical trial data is fundamental with regard to the set-up, conduct and successful outcome of clinical trials. In this context, the Clinical Trial Regulation (Regulation (EU) No 536/2014) regulates clinical data management, which should result in the generation of high-quality and statistically reliable data from clinical trials. The central database “Clinical Trials Information System” supports the entry, verification and quality control of data collected during clinical trials.

As discussed (see 13.1 IT Upgrades for Digital Healthcare), the healthcare industry is a frequent target for cyber-attacks, and is generally ill prepared for such hazards, requiring swift and appropriate measures. In this context, there are several national and European initiatives, laws and regulations that aim at fostering and upgrading companies’ IT infrastructure and ensuring the continuity of care, including the Early Warning System of the Belgian Centre for Cybersecurity, the European Commission’s proposed NIS2 Directive or the Health Care Quality of Practice Act of 22 September 2019.

There are no frameworks in place that particularly apply to the protection of intellectual property in the field of digital healthcare. Therefore, one has to revert to existing and traditional regimes regarding intellectual property protection.

Inventions are patentable if they fulfil the criteria of novelty and inventiveness and if they are capable of industrial application. Computer programs are in principle exempt from patent protection as such; however, software may be protected if incorporated in a product of a technical nature. Problems also arise in relation to the inventor of AI inventions. Under the current guidelines for applications to the European Patent Office, the inventor needs to be a human being. This is problematic when inventions are made by AI without human intervention. In addition, one might wonder whether patents for inventions made by AI need to be vested in the researcher who discovers the invention when using the AI technology, the owner of the AI technology or the developer of that technology.

Furthermore, the author of a literary or artistic work that is original and expressed in a specific form is granted copyright protection. As long as software and databases meet the requirements of expression and originality, they can also be protected by copyright. In addition, a database can be protected by the Sui Generis Database Right if the acquisition, control or presentation of that database qualitatively or quantitatively represents a substantial investment on the creator’s or developer’s part (Article XI.306 of the Code of Economic Law).

Trade secret protection in Belgium is detailed in Title 8/1 of Book XI of the Code of Economic Law and based on Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. Information constitutes a trade secret if:

• it is not generally known or readily accessible to persons in circles that normally deal with the kind of information in question;
• it has commercial value because of its secrecy; and
• it has been subject to reasonable steps to keep the information secret.

The illegitimate disclosure or acquisition of such information can be contested in court and (former) employees can be sanctioned for disclosing such information.

There are many advantages and disadvantages in the context of intellectual property protection. A pertinent example encompassing advantages and disadvantages relates to the fact that such protection might foster and hinder innovation.

On the one hand, intellectual property protection plays a crucial role in fostering innovation, particularly in the context of R&D. Digital healthcare companies invest largely in the development of a product, which usually requires a lot of time, energy and money. Successful products might be highly lucrative, which, in turn, might result in the digital healthcare company having a commercial advantage when compared to its competitors. Therefore, once granted, intellectual property protection provides the necessary tools to safeguard the hard work and prevent competitors from infringing the product. In this context, intellectual property incentivises innovation.

On the other hand, intellectual property protection might hinder innovation, especially when digital healthcare companies seek to obtain intellectual protection solely for anti-competitive purposes and hence use this protection to prevent competitors from entering the market. For instance, the digital healthcare company might use patents as a strategic deterrent by building up so-called patent thickets, making follow-on innovation by other firms entering the market a more challenging, costly or even impossible process.

The contractual licensing structures in the digital healthcare industry vary depending on the type of product. For example, to download medical, fitness and well-being apps, digital health providers will usually offer an end-user licence agreement in order for the end user (B2C) to be able to use the app and its underlying software. As far as it concerns the licensing of cloud services, generally, the SaaS licence is used, where the cloud service provider hosts the app and related data, and makes it available to end users (B2B and B2C) over the internet.

Education is a competence of the Communities in Belgium. The Codex Higher Education of the Flemish Community provides that the intellectual property rights to inventions created by salaried researchers in the course of their research duties for the university or the university of applied sciences are vested in that university (of applied sciences). The university has the sole right to exploit any such inventions. Belgian universities have a long tradition of creating and supporting spin-off companies and the Flemish Catholic University of Leuven (KU Leuven) has been named the most innovative university in Europe several years in a row for its large amount of (successful) patents filed in the field of pharmaceuticals and biotech, agriculture and food, chemicals and medical devices.

Belgian universities often collaborate with industry partners and participate in European consortium projects by conducting R&D or seconding one of their researchers to a project. The ownership and exploitation of intellectual property rights differ from project to project; however, Belgian academic institutions often endeavour to secure the ownership rights to their R&D results and grant the exploitation rights to the industry.

The pandemic has evidenced that better public health is driven by improved collaborative working, including through public-private partnerships. In order to foster the innovation that such partnerships can yield, trust between the different participants needs to be built, including while drafting and negotiating R&D agreements. In this regard, the allocation of ownership and exploitation rights for digital health inventions must be determined from the outset.

As previously stated, default statutory rules vest intellectual property rights of new ideas, works or inventions with the inventor or author of such work. Therefore, pharmaceutical and medtech companies that outsource part of their R&D need to consider which rights they need to secure in relation to the results of the R&D, including if, and to what extent, they have sufficient freedom to operate to exploit the outcomes of their research investment commercially.

New technologies increase the number of participants involved in healthcare and make it increasingly complicated for a patient to seek redress for damage caused in the provision of healthcare. The liability of a physician or hospital can be invoked contractually and extra-contractually, depending on the act from which the damage arises. Furthermore, patients can seek compensation from the Fund for Medical Accidents in the case of severe damage caused by:

• medical accidents without liability;
• medical accidents with liability where the healthcare provider’s insurer disputes the liability or makes a manifestly inadequate proposal; and
• medical accidents with liability when the healthcare provider is not insured or is inadequately insured.

This Fund for Medical Accidents is financed exclusively by the Belgian state and is a service of the NIHDI. Furthermore, product liability for medical devices is based on the strict liability regime of Directive 85/374/EEC. In this regard, a medical device is defective when it does not provide the safety that a person is entitled to expect, taking into account all circumstances, including:

• the presentation of the product;
• the reasonably expected use of the product; and
• the time when the product was put into circulation.

Any person in the production chain, the EU importer and the supplier might be held liable.

In light of new technologies, these classic liability regimes may need to be revisited. For instance, AI-driven software sometimes lacks transparency in its decision-making and demonstrates considerable autonomous behaviour. This leads one to question whether a physician is at fault (and liable) if that physician does not follow a diagnosis made by an AI technology or, conversely, whether that physician fails to perform the required due diligence by making treatment decisions based on a diagnosis made by an AI technology without knowing exactly how the software reaches a conclusion.

With respect hereto, the new legislative proposal of the European Parliament on AI suggests the implementation of both a strict liability and a fault-based liability regime for AI technologies, depending on the risk involved in that AI system. Similarly, the Product Liability Directive may not always offer relief with regard to defects in digital health technologies, as many of these applications contain one or several service elements, which may make it more difficult to classify the technology as a defective product.

As stated above, multi-participant involvement in the manufacture of digital healthcare technologies and the provision of healthcare services has made it gradually more complex to allocate responsibility. Under the defective product regime, any participant in the supply chain may be held liable, including the EU importer and the supplier.

As with data protection, any controller is accountable for any damage that arises from a processing activity that breaches the GDPR, in contrast with processors, which are only responsible for damage that is the result of that processor acting outside the lawful instructions of the controller. Data processing agreements thus often include rigid liability and indemnification obligations to ensure a controller can recover the damage that is caused by its service provider from that processor.

Constrained healthcare budgets are finding new and innovative (pricing) solutions by investing in value-based arrangements with the industry. Such value-based care requires qualitative real-world evidence data from patients, outside the controlled environment of a clinical trial. Patients, healthcare providers, reimbursement authorities and the industry will therefore have to collaborate to gather the necessary data for cost-efficiency analyses. This may soon not only be done at the national level but also at the European Union level, as the member states have adopted a common position on health technology assessment.

Healthcare is also visibly working towards more integrated, personal solutions, where the traditional prescription of medicines may be combined with a mental health or symptom tracker app. Physicians encourage patients to take ownership of their own health by making lifestyle switches and patients are able to review their health status from their pockets by consulting their medical records and personal health information collected through monitoring devices.

All in all, it can therefore be expected that the future of healthcare is personalised and patient-centred, with a strong focus on prevention.