Polish regulatory provisions do not provide a legal definition of the terms “digital health” and “digital medicine”. The distinction between these concepts is, therefore, a matter of practice and technical distinctions in many detailed regulations.

As a rule, it can be said that digital health is the broader concept, covering:

• patient/user-centric actions and products, such as the area which connects lifestyle and daily actions that have an impact on health, digital technologies and healthcare; and
• the broad field of digital technologies (eg, public databases containing healthcare data) used not only to diagnose and treat patients and support diagnosis and treatment, but also to support, administer and enhance the efficiency of healthcare systems and organisations, oversee the standard of care provided by individual healthcare-providers, or conduct scientific research.

By contrast, digital medicine would be understood as a narrower concept, ie, the use of the aforementioned technologies and concepts for the provision of healthcare to individual patients.

The clearest distinction between the two can be seen in regulatory requirements – eg, digital health technologies do not meet the regulatory definition of a medical device (see 6.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technologies). However, digital health products or technologies, when used by healthcare service providers (HCPs) to provide healthcare services or process patient medical files, will be subject to regulatory requirements that are applicable to healthcare service-providers (see 2.2 Recent Regulatory Developments, 2.3 Regulatory Enforcement and 7. Telehealth).

Polish law does not provide a legal definition of "digital health" and "digital medicine" or "telehealth" or "telemedicine” but recognises a general possibility for providing healthcare services via IT or telecommunication systems.

Medical Activities and Healthcare Services

The Act on Medical Activity provides that medical activity may be conducted through IT and communication systems. Medical activity is defined as providing healthcare services, promoting health, conducting teaching and research in connection with the provision of healthcare services and promoting health, or implementing new medical technologies and methods of treatment.

Teleconsultations

Polish law defines “teleconsultations”, which is a primary healthcare service provided remotely using IT systems or communication systems. Primary healthcare is a category of guaranteed, ie, publicly financed, healthcare services provided by a doctor, nurse or midwife, such as basic health advice and diagnostics, and consultations by general practitioners.

The rise and proliferation of digital healthcare and digital medicine solutions is fuelled by a confluence of a number of trends and technologies. The increase in computing power and storage capacity and the availability of cloud storage and cloud-computing solutions, make storing and analysing large volumes of medical data – both for digital medicine and healthcare purposes – more feasible.

The digitisation of medical devices and use of wearables (eg, smart watches) result in the availability of growing volumes of high-quality digital medical data.

The growing use of smartphones, access to computers and high speed and bandwidth internet and mobile internet means that people can take advantage of telemedicine services.

The development of AI and machine learning (ML) solutions builds on all of these trends.

As all the new technologies and solutions in digital health either require or aim at providing large volumes of high-quality medical data, one of the most important issues is how such data can be used, by whom and for what purposes.

This raises the technical but important issue of establishing laws or guidelines on how medical data should be pseudonymised or anonymised in order to minimise the risk of re-identification – an issue which necessarily entails some hard choices between the quality and completeness of available data and patient privacy.

This last factor raises the need for establishing rules of handling non-personal medical data (which is not protected under the General Data Protection Regulation (GDPR)), and transparency and accountability obligations connected with that use.

Work on the development of telehealth in Poland began even before the COVID-19 pandemic.

However, the COVID-19 epidemic resulted in a significant increase in the number of health services provided in the form of telemedicine – especially in the field of primary health care. A rising number of new healthcare entities provide outpatient health services (eg, outpatient clinics, non-hospital health centres) exclusively in the telemedicine model.

The key regulatory agencies operating in the area of healthcare include the following.

The Minister of Health (MoH)

The regulatory powers of the MOH include the following.

Reimbursement

The MoH decides whether a given medicinal product or medical device will be reimbursed. Risk-sharing schemes concluded in connection with reimbursement decisions may cover additional obligations, eg, the obligation to make software (eg, a mobile application) dedicated to a given reimbursed product available to patients, or the obligation to aggregate specific data related to efficacy and safety of treatment (see 16.1 Hot Topics That May Impact Digital Healthcare in the Future).

Public financing of healthcare services

The MoH decides whether to finance health services (specific medical procedures) with public funding. New technologies within the framework of digital healthcare and digital medicine, such as medical devices supporting diagnostic and therapeutic decisions, operating on the basis of AI/ML algorithms, can be publicly financed as elements of specific medical procedures.

Audit powers

The MoH can audit HSPs, including HSPs providing telemedical services (see 2.3 Regulatory Enforcement).

Creation of databases

The MoH can create public registers containing medical data on specific diseases, disorders or disabilities (see also 2.2 Recent Regulatory Developments).

The President of the Office for the Registration of Medicinal Products, Medical Devices and Biocidal Products (RO President)

The regulatory powers of the RO President include the following.

Supervision of medical devices

Medical devices software as a medical device (SaMD) as well as devices operating on the basis of AI/ML algorithms – manufactured, placed onto the market and put into use or subject to performance evaluation in Poland.

Authorising clinical investigations and clinical trials

The RO President authorises clinical trials (in the case of medicinal products) and clinical investigations (in the case of medical devices) carried out in Poland and also has competence in the area of pharmacovigilance.

The prerogatives of the RO President are currently undergoing significant changes because of the start of the application of the Medical Devices Regulation (MDR) and the In-vitro Diagnostic Medical Devices Regulation (IVDR). The new Polish Act on Medical Devices, which regulates issues not regulated in the MDR, in particular how the powers of the RO President are exercised, came into force on 26 May 2022 (see 2.3 Regulatory Enforcement and 6.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technologies).

The President of the National Health Fund (NHF)

The NHF is primarily responsible for the public financing of health services. The NHF has the following responsibilities.

• Negotiating and concluding contracts for the provision of guaranteed healthcare services with HSPs (hospitals, health centres, outpatient clinics, etc). The NHF defines model contracts with HSPs, which have a decisive impact on patient access to publicly financed treatment.
• Monitors the performance of contracts concluded with HSPs and is making settlements with them. For this purpose, the NHF also keeps its own public register containing medical data – SMPT, which contains detailed data on services provided to patients.

The President of the Agency for Health Technology Assessment and Tariff System (AOTMiT)

The AOTMiT is the Polish Health Technology Assessment agency. The task of the AOTMiT is to provide substantive support to the MoH in making decisions on pricing and public financing of healthcare services, including digital health and digital medicine services.

A gradual digital transformation of the healthcare sector in Poland in recent years has become apparent.

One of the main directions of regulatory changes is the gradual development of public IT systems and healthcare databases. The development of the Electronic Platform for Collecting, Analysing and Sharing Digital Resources on Medical Events, (the “P1 Platform”) is one of the key projects.

The P1 Platform currently includes a number of independent systems and databases that provide various functionalities to patients, healthcare-providers and public authorities, which are related to the planning, provision and management of healthcare services. Among the systems and functionalities currently operating within the P1 Platform are the following:

• the Medical Information System (MIS), which processes data on provided, delivered and planned healthcare services, uploaded by HSPs;
• the Internet Patient Account (IPA), a web application enabling each patient to access their health information, including medical records, e-prescriptions, e-referrals and information about planned and performed publicly financed medical services;
• the e-prescription system for issuing and managing prescriptions in electronic form; and
• the e-referral system for issuing and managing referrals for examination or treatment.

Apart from these "horizontal" systems, the MoH has established over a dozen registers containing medical data on specific diseases, disorders or disabilities (the register of vascular operations, the National Cancer Registry, and others).

Another important regulatory trend is the gradual shift from paper to electronic medical records. As a general rule, medical records should be kept in electronic form. It is only possible to keep medical records in paper form in exceptional situations, and certain categories of documents.

The aforementioned regulatory trends unite into a trend of gradually integrating electronic medical records with the MIS. Ultimately, all medical patient data in medical records kept by an individual HSP is to be made available to other HSPs in the MIS.

An important direction of change currently being discussed is the assurance of greater availability of medical data to non-public entities for purposes of scientific research and development work (clinical trials and investigations, development of AI/ML, building solutions in telemedicine and e-health). For example, the Policy for the Development of Artificial Intelligence in Poland from 2020, adopted by the Polish Council of Ministers, indicates that the public sector will pursue:

• pilot programmes for storing anonymised medical data;
• support for the development of tools and solutions using medical data, including, in particular, telemedicine and e-health solutions;
• optimisation activities in the healthcare sector based on the analysis of data such as maps of needs, supply of and demand for services, and the use of resources and data from digital services; and
• sharing medical data for creating more effective treatment methods.

The conclusions of the European Commission’s Assessment of the EU Member States rules on health data in the light of the GDPR, and the draft European Data Governance Act published in November 2020, are heading in the same direction. On 3 May 2022, the EU published a proposal for the European health data space, which aim is to make health data more accessible to stakeholders of all kinds.

General Remarks

Each agency identified in 2.1 Healthcare Regulatory Agencies has its own supervisory powers and has the ability to impose sanctions. These may be both administrative sanctions (eg, withdrawal of the licence/authorisation) and, in some cases, financial sanctions. Proceedings are based on the Polish administrative procedure, while final decisions issued by agencies are subject to judicial review.

MoH Supervision of Healthcare Service-Providers

The MoH is responsible for supervising whether HSPs are in compliance with the law (also when providing telemedicine services). HSPs that provide only telemedicine services are not subject to some of the obligations that are incumbent on HSPs providing traditional health services (eg, premises requirements), but they still have to fulfil a number of other obligations (eg, related to medical records, MIS integration, etc). The MoH can:

• audit and observe activities related to the provision of healthcare services (in a manner that does not breach patient rights);
• verify the HSP’s documentation (including medical documentation);
• verify compliance with the internal organisational regulations of the HSP; and
• assess the management of public property and funds.

After an audit, the MoH prepares an audit report, in which it can present audit recommendations. Failure to comply with recommendations can result in the HSP being removed from the HSP register (the performance of medical activity without registration is an offence and is punishable by arrest, a restriction of freedom or a fine).

Supervision of the Medical Devices Market by the RO President

The RO President supervises devices that are manufactured, placed onto the market, put into use or subject to performance evaluation in Poland. This also applies to software as a medical device, and devices operating on the basis of AI/ML algorithms.

The powers of the RO President regarding the supervision of medical devices are currently undergoing significant changes because of the start of the application of the MDR and IVDR (see 6.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technologies).

The RO President may request that manufacturers of medical devices provide all the information and documentation necessary to demonstrate conformity of the medical device.

If the manufacturer fails to co-operate or the information and documentation provided is incomplete or incorrect, the RO President may take all appropriate measures to prohibit or restrict the device from being made available on the market, to withdraw the device from that market or to recall it.

The RO President may conduct inspections of economic operators (manufacturers, importers, distributors, sub-contractors operating in Poland, etc). These audits can apply all activities conducted during the product life cycle, including design, manufacturing, storage, distribution, assembly, placement on the market.

If the RO President finds that a device presents an unacceptable risk to the health or safety of patients, users or to public health, it can require the manufacturer and all other relevant economic operators to take all appropriate corrective action to bring the device into compliance and to restrict the availability of the device on the market, to subject the availability of the device to specific requirements, to withdraw the device from the market, or to recall it.

The RO President also monitors investigations of serious incidents regarding medical devices conducted by manufacturers and is authorised to impose administrative fines for non-compliance with the applicable regulatory requirements.

One of the key regulatory aspects of digital healthcare and digital medicine activities is compliance with personal data protection law. Digital healthcare and medicine are inextricably linked with the increase in the volume of data – both in terms of the number of people whose data is processed and the amount and categories of data used. Secondly, medical data can be accessed not only by HSPs but also by technology providers – IT (including SaMD) service-providers, suppliers of physical medical devices which are integrated with additional services supporting diagnostics and therapy (diagnostic imaging devices that record, store and transmit CT scans, MRI and PET images, and which can be offered in combination with remote diagnostic services). All of this makes it particularly important to comply with data privacy obligations.

The authority supervising compliance with data protection law is the President of the Personal Data Protection Office (PPDPO).

The PPDPO has oversight over all personal data processing conducted by any entities operating in the area of digital healthcare. The PPDPO supervises the implementation of obligations resulting from sector-specific regulations in the area of digital healthcare to the extent that these sectoral regulations impose obligations related to the processing of personal data, eg, the obligation to implement specific security measures, or the obligation to share this data with other entities only under certain conditions.

The PPDPO’s supervision covers such issues as the following.

• Security of data processing, including implementation of appropriate technical and organisational security measures. The PPDPO can audit the manner in which medical records are stored by medical entities and assess whether IT systems used for processing electronic records, as well as the physical infrastructure on which they operate, ensure that there is an adequate level of security.
• Ensuring that data is only processed to the extent to which the data controller has legal grounds for doing so, and only for the purpose covered by such grounds – eg, on the basis of the patient’s consent, for the purposes specified in the consent, or when processing is necessary to provide healthcare services.
• Ensuring that patients receive transparent and comprehensive information on the processing of their data. This is particularly important when using data for secondary purposes, eg, training neural networks (see 11.1 The Utilisation of AI and Machine Learning in Digital Healthcare).

Preventative care and diagnostic care both fall within the scope of primary healthcare. In addition to the preventative care provided as primary healthcare, there are also publicly financed preventative programmes carried out as part of guaranteed healthcare services or as part of health policy programmes. Publicly financed preventative programmes are implemented and financed by the NHF and includes, among others:

• breast cancer prevention programmes;
• cervical cancer prevention programmes;
• prenatal screening programmes; and
• tobacco disease prevention programmes.

Health policy programmes are implemented and financed by the national government or local governments and concern important epidemiological issues and other significant health problems (eg, the National Lung Cancer Early Detection Programme). Preventative care objectives are also achieved through vaccination programmes and through occupational medicine.

Depending on the context, wellness and fitness data may be processed by healthcare institutions for the purpose of providing healthcare. In such situations, processing will be governed by specific healthcare regulations, such as the Act on Patients’ Rights and the Patient Ombudsman, the Act on Healthcare Services, the Act on the Information System in Health Care and their applicable implementing regulations.

Currently there is no court jurisprudence which would substantially affect the mechanisms defined in these regulations.

In recent years, the main drivers for the increased use of preventative care have been institutional (government emphasis on preventative care) and technological – digitalisation of healthcare and development of related technology. The COVID-19 pandemic paved the way for implementing digital health tools such as online symptom checkers, patient portals, remote patient monitoring tools and telehealth, which give patients greater control over their health and enable them to prevent health issues from developing. Even though Poland at the beginning of this year lifted most of the COVID-19 restrictions, it seems that the use of technology in healthcare will likely become a long-term trend.

On the other hand, the Polish healthcare system has not yet assimilated widespread use of software or AI/ML powered medical devices to enhance accessibility to preventative and diagnostic healthcare. Access may be difficult, especially in under-developed areas where healthcare access in general is less available.

There are no specific healthcare regulations and privacy regulations concerning wellness and fitness data.

Processing of wellness and fitness personal data is governed by GDPR. Non-personal wellness and fitness data will not be subject to GDPR.

Depending on the context, wellness and fitness data may be processed by healthcare institutions for the purpose of providing healthcare. In such situations, processing will be governed by specific healthcare regulations, such as the Act on Patients’ Rights and the Patient Ombudsman, the Act on Healthcare Services, the Act on the Information System in Health Care and their applicable implementing regulations.

Currently there is no court jurisprudence which would substantially affect the mechanisms defined in these regulations.

Processing of wellness and fitness personal data is governed by GDPR. Non-personal wellness and fitness data will not be subject to GDPR. 

Depending on the context, wellness and fitness data may be processed by healthcare institutions for the purpose of providing healthcare. In such situations, processing will be governed by specific healthcare regulations, such as the Act on Patients’ Rights and the Patient Ombudsman, the Act on Healthcare Services, the Act on the Information System in Health Care and their applicable implementing regulations.

Currently there is no court jurisprudence which would substantially affect the mechanisms defined in these regulations.

Promotion of health and preventative care are regulated by the National Health Programme, which is adopted every five years by the Polish Council of Ministers. The current programme was adopted on 30 March 2021 and covers the period of 2021–25. The strategic objective of the National Health Programme 2021–25 is to increase healthy longevity and to reduce social inequalities in health. The operational objectives include:

• prevention of becoming overweight and obesity;
• prevention of addictions;
• promotion of mental health;
• promotion of environmental health;
• prevention of infectious diseases; and
• the management of demographic challenges.

Diagnostic and preventative care issues have also been addressed by the MoH in its document "The Healthy Future. This is a strategic framework for the development of the healthcare system for 2021–27, with an outlook until 2030”. The MoH wants to focus preventative healthcare activities on high-risk conditions (obesity, drug abuse, sedentary lifestyle, exposure to excessive stress).

Regulations related to new types of technology in preventative care are being contemplated. The "White Book of AI in Clinical Practice", created in cooperation with the MoH to clarify issues related to the implementation of AI tools in the healthcare system, is currently undergoing public consultations.

The challenges faced by non-healthcare companies entering the market are related to the following issues.

GDPR, Data Security and Management

The use of medical data (either personal, pseudonymised or anonymised) by such companies has to comply with demanding requirements. Certain issues connected with processing of personal data, such as data transfers outside the EU/EEA, remain a practical challenge for a significant number of businesses.

Regulatory Requirements

Companies must identify and comply with legal provisions that protect patients’ rights that do not apply outside of the healthcare context.

Issue of Liability

Non-healthcare companies have to address the fundamental issue of their role within the context of providing patients with healthcare. Depending on how their services are structured and sold, these companies can run the risk of becoming healthcare providers.

AI Systems

In the case of AI/ML systems, rules and extent of liability for harm caused by AI/ML are still subjects requiring further regulation. AI/ML medical devices have to go through a conformity assessment process which demands time and resources, and which has to take into account certain issues specific to AI/ML technologies.

Regulations

Non-healthcare companies must be aware of the changing regulations concerning the marketing of certain categories of products, eg, new stringent requirements for medical devices and in-vitro medical devices.

The increasing use of connected medical devices in digital healthcare is influenced by the development of various technologies and a need to save time and achieve high efficiency. Common access to smartphones and smartwatches, proliferation of connected medical devices and the growing access to internet among the older population make the use of such solutions possible on a large scale. According to the Polish Report on the Degree of Informatisation of Healthcare Providers issued in 2021, there has been a significant increase in the use of telemedicine by HCPs.

The most affected healthcare areas are patient-HCP communication, monitoring of treatment regimes, disease management and prevention and remote care.

Connected devices allow HCPs to gather a lot of medical data that is crucial for detecting, treating, and preventing diseases in ways that are easier and more accessible compared to standard tools. Connected devices in clinical trials have enhanced remote patient monitoring and reduced the number of visits to clinical sites.

In 2021, the Polish MoH initiated a pilot programme for the use of telemedicine wristbands in primary healthcare for patients who have gone through a COVID-19 infection. The aim of the programme is to assess the effectiveness of the implementation of healthcare services in the field of primary healthcare with the use of telemedicine bands. The wristbands enable GPs to monitor patients' vital signs on an ongoing basis.

If a patient suffers harm because of an error made by healthcare professionals, the patient will be entitled to seek compensation from them (or the healthcare provider that employs them) (see 15.1 Patient Care).

If a patient suffers harm because of an error made by healthcare professionals, the patient will be entitled to seek compensation from them or the healthcare provider that employs them (see 15.1 Patient Care).

An HCP can also be liable for harm resulting from the lack of proper maintenance of medical devices that it operates (which may include, for example, installing updates or using appropriate anti-virus software). Polish courts have found hospitals liable for lack of proper inspection of medical devices that led to patient injury, even if such inspections were beyond the doctors’ and nurses’ control.

If damage is caused by the malfunction of a defective medical device, the seller or manufacturer can be liable on their own for patient injury caused by their technologies under the product liability regime.

A healthcare provider can also be liable for harm resulting from lack of proper maintenance of medical devices that it operates (which may include, for example, installing updates or using appropriate anti-virus software). Polish courts have found hospitals liable for lack of proper inspection of medical devices that led to patient injury, even if such inspections were beyond of the doctors and nurses' control.

If damage is caused due to malfunction of a defective medical device, the seller or manufacturer can be liable on their own for patient injury caused by their technologies under the product liability regime (see 13.1 IT Upgrades for Digital Healthcare).

The use of internet of medical things involves processing of a lot of sensitive, medical data. It also increases the volume of processed data – both in terms of the number of people whose data is processed and categories of data that are used. In addition, access to medical data is granted not only to HCPs, but also technology providers. This gives rise to security challenges that must be addressed.

The above risks are generally addressed in contracts between healthcare institutions and IT service providers (eg, in Service Level Agreements). Such agreements typically obligate IT service providers to provide appropriate cybersecurity solutions and regulate the IT service providers’ liability for damage caused by a breach of cybersecurity.

Healthcare institutions typically also employ data protection officers (DPOs) who, as part of their obligations under GDPR, assist their institutions in establishing cybersecurity mechanisms.

In 2021, the Polish government published a new draft law that addresses the issues of certification of IT products and services, which aims to implement EU Regulation 2019/881 (the EU Cybersecurity Act). The new law will set mandatory requirements for IT products and define the obligations of manufacturers of IT products.

There are no specific Polish draft laws or Polish proposed legislation since EU level initiatives address these topics and the EU regulations will be directly applicable in Poland. Two proposed EU regulations will be crucial for internet of medical things and other forms of connected devices as follows.

• The Regulation on the European Health Data Space that aims to reshape access to medical data and its use in research and policy. The act is to provide individuals with better digital access to their personal health data. It also proposes novel rules on the use of patients’ digital health data for research, innovation, policy-making and regulatory activities (so called-secondary use).
• The Regulation on Harmonised Rules on Fair Access to and use of data (Data Act) that introduces two very important new concepts:

a) very broad user rights to machine data generated by the products and services they buy (including any IoMT devices and other forms of connected devices);

b) the possibility for users to share machine data generated by their products with third parties - and the right to demand that the supplier of such goods/the holder of such machine data provide this data to a third party designated by the user.

The Data Act will also allow public bodies to access machine data created by the private sector in exceptional circumstances.

Regulation (EU) 2017/745 on medical devices (MDR) became directly applicable in all EU member states on 26 May 2021. This act forms the basis of a comprehensive EU reform of the medical device law. MDR replaced most of the provisions of Polish law on medical devices. Some issues related to medical devices under MDR have been left to be clarified at the level of national legislation. The new Act on Medical Devices entered into force on 26 May 2022.

Softwareas a Medical Device

The regulatory definition of medical devices enshrined in MDR includes SaMD.

When deciding whether software will be a medical device, the guidance provided by the European Commission in MEDDEV documents and the guidance provided by the Medical Device Co-ordination Group (MDCG) plays an important role.

According to that guidance, software which fulfils the definition of a medical device, performs operations on data, and is intended for the benefit of an individual patient to support or influence the medical care provided to that patient, but its performance of operations on data is limited to storing, archiving, transmitting or simple searching, will not be a medical device.

Devices that operate on the basis of AI/ML algorithms are not more likely to meet the above definition solely by virtue of this fact. Rather, the deciding factor will be whether both the purpose and the function of the AI/ML system satisfy the above-mentioned criteria.

For example, Optical Character Recognition (OCR) software using AI/ML algorithms to digitise patient medical records or the healthcare professional’s notes will not be a medical device. Similarly, image management systems (IMS) that use AI/ML algorithms to extract information from patient files, not for the benefit of individual patients, but for public health purposes or for scientific research, will not be a medical device.

However, an IMS that incorporates AI/ML algorithms that support post-processing of images to assist diagnosis, will be a medical device.

The MDR brought important changes to SAMD classification rules. According to previous classification rules, SAMD in most cases belonged to class I, and in certain cases – to class IIa or IIb. SAMD was not classified in class III.

Under the new classification rules, the default class for SAMD is class IIa, unless the software is intended to be used to take decisions involving an increased risk for the patient (eg, death, serious deterioration of health, need for surgical intervention). If that is the case, the product will belong to class IIb or III.

As soon as software is no longer classified as class I, manufacturers must:

• involve notified bodies in the conformity-assessment process; and
• in general, establish a certified quality-management system.

Importantly, on a literal reading, the new classification rules have been formulated in a way that does not allow for the probability of a negative effect when making an assessment – only the severity (eg, "might lead to death") or duration ("irreversible") of potential negative outcomes are taken into account. The MDCG and IMDRF guidelines try to solve this problem, to some extent.

General Remarks

Seeing opportunities arising from the development of technology and taking into account the lack of human resources among healthcare professionals, the Polish legislature has been successively enabling the use of telemedicine solutions.

Since 2015, the development of telemedicine can be noticed primarily in the area of teleconsultations – especially by primary care doctors.

Telemedicine solutions are also popular in image diagnostics, and within it, teleradiology, involving the remote provision of description or consultations of radiological images services, provided to an HSP by an external vendor.

The Market Practice

Telemedicine complements and, in some areas, almost supersedes the traditional, stationary scheme of operation. There are HSPs that provide outpatient healthcare services exclusively as teleconsultations. In principle, HSPs operating “telemedical” clinics (ie, providing services only remotely), must satisfy the same regulatory requirements as physical establishments, but do not need to satisfy the same requirements as to the types of premises and equipment (which is highly convenient in practice).

Popularising and Facilitating Teleconsultation

The COVID-19 epidemic has had a significant impact on the development of telemedicine. The increasing number of people staying at home directly translated into an increase in demand for teleconsultation, telecare and telediagnostic services.

Response to this growth involved taking advantage of the already available general legal solutions enabling health services to be provided remotely (see 1.5 Impact of COVID-19) while, at the same time, relieving doctors providing teleconsultations in connection with combating COVID-19 from certain obligations (eg, regarding the keeping of medical records).

The rules on checking patient identity and verifying rights to publicly financed healthcare services have also been relaxed for the duration of the COVID-19 epidemic – enabling verification through ICT or communication systems, including through instant messaging (such as via Zoom and Microsoft Teams and other platforms).

Additional Requirements for Teleconsultations

In some situations, publicly financed services can only be provided through direct contact with the patient. Examples of such situations are:

• a patient’s lack of consent for teleconsultations;
• first visits; and
• chronic illnesses with worsening or changing symptoms.

These restrictions do not apply to privately funded services.

Public Financing of Telemedicine

In order for a medical facility to provide publicly financed telemedicine health services, the following is required:

• the method of providing services must be permitted by the NHF (eg, primary healthcare teleconsultations);
• an HSP needs to conclude a contract with the NHF for the provision of specific services; and
• the HSP must provide telemedicine services in accordance with current medical knowledge and in compliance with the law and the NHF contract (see 2.2 Recent Regulatory Developments and 7.2 Regulatory Environment), and then submit those properly performed services for settlement to the NHF.

Commercial Financing of Telemedicine

Health services using telemedicine are also becoming increasingly common in the private sector. In such cases, the price is not subject to specific regulations, and, for instance, private insurers set their own financing rules.

The proliferation of the Internet of Things (IoMT) is fuelled by the confluence of trends and technologies discussed in 1.4 Emerging Legal Issues,9. 5G Networks and 11. AI and Machine Learning. Because the very aim of IoMT solutions is to acquire more data on patients and users, one of the most important regulatory contexts for IoMT is data privacy and access to data (discussed in 3.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies and 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information).

Because some IoMT products will fall into the medical devices category (eg, wearable defibrillators, wearable Holter monitors – a type of portable ECG), the MDR provides a regulatory framework which is also central to IoMT in healthcare (see 6.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technologies).

Depending on the business set-up, companies supplying IoMT solutions may also be considered HSPs and need to satisfy specific requirements connected with the provision of healthcare services.

But even if an IoMT product (including software used in connection with an IoMT product) is not a medical device (or an accessory to a device) in itself, but is designed to work with a medical device, it may still require to be assessed with regard to the safety of its performance.

If a medical device is intended for use in combination with modules/products (including software), the whole combination, including the interfaces between those parts, must be safe and must not impair the specified performances of the modules which are subject to the medical-device regulations. Important guidance on this topic is provided in MDCG Guidance on Qualification and Classification of Software in MDR and IVDR, and the European Commission’s Manual on borderline and classification in the community regulatory framework for medical devices.

Thanks to the unprecedented speed and bandwidth of 5G, many people have the opportunity to take advantage of telehealth services. Medical treatment in disaster areas and by first responders will also benefit, due to faster and more effective assistance (eg, thanks to real-time support obtained remotely by the rescuers, more accurate data on injured persons' position or condition, fastest evacuation routes). It also offers an opportunity to popularise remote diagnosis, the use of wearable medical devices and remote, robotic procedures (including surgery).

Sharing and Use of Data for Patient Treatment

Access to, the use and sharing of medical data that is personal data, individual medical data which is not personal data, and non-individual (aggregated) medical data for patient treatment is generally permitted only under specific conditions. As a general rule, medical records can be shared between HSPs, and HSPs can access medical data (both personal data and non-personal data) contained in public registries and systems (although patient consent is required in certain cases).

GDPR applies to the processing of patient personal data (including medical data) for the purposes of providing healthcare services, so HSPs have to discharge their duties as data controllers under GDPR (see 3.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies). Patient consent for processing for purposes of providing healthcare, and for uploading patient data from patients’ medical records to public registries and systems, is not required (different legal grounds can be relied on).

Private business may have access to and process patient medical data if it is necessary in the context of providing healthcare services – eg, hospital information system (HIS) software-providers, companies leasing imaging equipment, together with software used to process personal data (such as CTs, PETs, MRI scanner sets which also archive, manage and process image files), cloud storage or cloud computing companies. Typically, in such cases these third-party vendors will operate as data processors of HSPs.

Sharing and Use of Data for Research and Development

Complicated legal landscape

Access to, the use and sharing of medical data that is personal data, individual medical data which is not personal data, and non-individual (aggregated) medical data for research and development purposes is regulated in a number of different regulations and in divergent ways, depending on where the data originates from.

There are separate rules concerning access to patient’s medical files, access to medical data in systems operating on the P1 Platform – MIS, e-Prescription, and Online Patient’s Account (see 2.2 Recent Regulatory Developments), in public registers created by the MoH (see 2.1 Healthcare Regulatory Agencies), in the SMPT register run by the National Health Fund (see 2.1 Healthcare Regulatory Agencies), or other public registers.

The current landscape will be substantially modified by the upcoming EU Health Data Space regulation (see 5.4 Proposed Regulatory Developments).

Access to medical files

Currently access to a patient’s medical files for purposes other than patient treatment (eg, research and development purposes) by private business requires patient consent. Even after a patient’s death, access requires the consent of a person who was authorised to access the files by the patient during their lifetime, or the patient’s legal representative. Consent is not required in the case of higher education institutions and research institutes – if these use the data only for scientific purposes.

This, connected with the issues mentioned in 13.1 IT Upgrades for Digital Healthcare, causes data contained in medical files to be hard to access by private business – even in anonymised form.

Access to data in public registers

Different public registers and systems have rules of access and use of data that are divergent not only from the rules applicable to medical records, but between each type of register or system.

As a general rule, access to data (both personal data and individual medical data) is limited to HSPs and public institutions. Access to data by private business is either subject to the patient's or their legal representative’s consent (MIS) or not regulated at all (SMPT).

Data from public registers created by the MoH may be made available for scientific research in anonymised form. The data may also be used by public authorities – including the National Health Fund – to monitor the demand for healthcare services and their quality and cost-effectiveness.

Access to data from public registers based on laws on accessibility of public information or re-use of public sector information is possible, but difficult in practice – partly because of an imprecise definition of public information, partly because of a lack of awareness of how these mechanisms should operate on the part of the public sector.

Use of data obtained from public registers

The purposes for which medical data obtained from public registers and systems may be used are also not regulated in a consistent and uniform manner. In some cases, the permitted use is regulated very narrowly – eg, data obtained from the e-Prescription system (see 2.2 Recent Regulatory Developments) can only be used for the purposes of delivering information about the e-prescription to the patient and cannot be aggregated with any other data.

GDPR

The use of personal medical data for research and development (including development of AI/ML systems) falls under the GDPR. Consequently, entities which have obtained any such data have to discharge their duties under the GDPR (see 3.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies).

There are currently no specific laws that would regulate the processing of personal medical data for research and development by private business. Consequently, private business does not benefit from any exclusions or exceptions to the general rules of the GDPR (for more details see 11.1 The Utilisation of AI and Machine Learning in Digital Healthcare).

Use of AI/ML in Healthcare

AI/ML systems are becoming more prevalent in healthcare – both in supporting diagnosis (eg, in recognising stroke in CT examinations), treatment, helping with keeping digitised records (OCR and Natural Language Processing (NLP) software) and healthcare systems administration (eg, an AI/ML tool for prediction of blood component demand).

The use of AI/ML for the purposes of patient treatment is admissible and not subject to any stricter regulatory regimes than the general rules regarding healthcare services (see 2.1 Healthcare Regulatory Agencies and 2.3 Regulatory Enforcement) and consequently the processing of personal data by AI/ML systems for such purposes is also admissible – subject to general GDPR rules (see 3.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies and 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information), although the performance of some of these obligations may raise some practical issues – such as how to satisfy the transparency obligations. The majority of AI/ML systems used for the benefit of individual patients will fall under the definition of a medical device (see 6.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technologies).

The Use of Personal Data for the Development of AI/ML

The use of medical personal data for research and development, in particular for development of AI/ML systems, falls under the GDPR, but currently there are no dedicated laws which would regulate the processing of medical personal data for such purposes by private business. Consequently, private business does not benefit from any exclusions or exceptions to the general rules of GDPR. This raises questions as to how some GDPR obligations should be performed.

AI/ML algorithms may find correlations within the data that lead to additional information about data subjects being established or change the outcome of previously conducted data protection impact assessments.

Finally, both as a result of combining different data sets and of AI/ML algorithms finding correlations between the data that lead to additional information about data subjects being established, data that was anonymous data may be re-identified.

Currently, there are no laws or guidelines on how medical data should be anonymised in order to minimise the risk of re-identification. This is an issue which necessarily entails some hard choices between the quality completeness of available data and patient privacy, especially because the growing volume and quality of data will mean that the line between data which enables re-identification and that which does not will be shifting.

In April 2021, the European Commission published its Proposal for a Regulation, establishing harmonised rules on AI. The proposal presents the legal framework for AI/ML systems, including essential aspects such as regulatory obligations for providers of AI/ML systems, AI post-market surveillance and conformity assessment of high-risk AI.

Proposal for a Regulation Laying Down Harmonised Rules on Artificial Intelligence (AI Act)

The draft AI Act will have significant consequences for medical devices producers. Under the AI Act, producers of high-risk AI systems will need to meet stringent regulatory requirements, eg, implement a dedicated risk management system, ensure appropriate quality of training and validation and testing datasets, develop appropriate technical documentation, implement cybersecurity solutions and ensure that the AI system is designed and developed in such a way to ensure that their operation is sufficiently transparent to enable users to interpret the system’s output and use it appropriately.

In practice, all AI/ML medical device software will constitute high-risk AI systems under the AI Act.

The requirements of the AI Act and the Medical Devices Regulation/In-vitro Diagnostic Medical Devices Regulation will both apply, so all AI/ML medical devices will have to satisfy the regulatory requirements of both.

Polish law does not foresee any national solutions that concern the use of AI and ML in healthcare specifically. In a broader context, the draft act on quality in healthcare and patients’ safety is worth mentioning. The draft proposed to introduce solutions that will provide patients and healthcare professionals with access to reliable, objective, and comparable information on the quality of healthcare. It will also require healthcare providers to implement an internal quality and safety system.

In 2021 the Polish Council of Ministers published its Strategy for the development of AI in Poland from 2020. The strategy includes an overview of possible changes and new regulations in the field of, inter alia, liability related to the use or creation of AI (the document proposes liability of AI producers based on the principle of due diligence, as opposed to the risk-based liability of AI operators, as well as differentiating the liability of end users from the liability of AI operators).

Considering that regulations concerning accessibility and rules on use of data are crucial from the perspective of AI/ML development, two more draft acts should also be mentioned: (i) Proposal for a Regulation on the European Health Data Space (Data Act) and (ii) Regulation on Harmonised Rules on Fair Access to and Use of Data ("Data Act"). See 5.4 Proposed Regulatory Developments.

Companies that develop and sell digital healthcare technologies may have to address the following regulatory and legal issues:

• GDPR compliance and interplay between GDPR and patient rights. The use of medical data has to comply with GDPR requirements. Sometimes consent will be the only legal ground for processing patient data, and in such circumstances companies need to implement adequate tools to obtain and manage patients’ consents. The interplay between GDPR and healthcare sector regulations may require business models or implemented technical solutions to be modified.
• Data transfers outside the EU/EEA - data transfers outside the EU/EEA, remain a practical challenge in many circumstances.
• Liability rules for medical devices are subject to product safety and liability rules, however, certain features of digital technologies present challenges when applying these rules. This creates legal uncertainty for businesses and may make it difficult for patients and other injured parties to receive compensation.
• Comprehensive reform of the medical device law. If new technologies products meet the definition of a medical device or in-vitro medical device, new requirements introduced by the MDR and Regulation (EU) 2017/746 on in vitro medical devices ("IVDR"), which are directly applicable in all member states, must be followed. In addition, a new Act on Medical Devices came into force in Poland as of May 26, 2022, which also introduces certain obligations related to the introduction of medical devices on the Polish market.
• AI systems (especially AI/ML medical devices) need to meet a number of regulatory requirements under both MDR/IVDR and the AI Act. Some of those requirements may be difficult to address (such as the obligation to ensure appropriate quality of training and validation and testing datasets) or the modalities of meeting them may still be under development (such as the requirement to ensure that the AI system is designed and developed in such a way to ensure that their operation is sufficiently transparent to enable users to interpret the system’s output and use it appropriately).

The above-mentioned issues should be addressed in contracts with healthcare institutions and other customers using such new technologies. Despite the fact that such contracts are typically drafted by the vendors, healthcare institutions usually try to negotiate and change the wording of the vendor-prepared drafts. Usually the negotiations concern the division of parties’ responsibility during product integration with the client’s environment, helpdesk and technical support clauses, service-level agreements (SLA) clauses, vendor limitation of liability clauses and vendor secondary use of data clauses.

From 1 January 2021, all HSPs are required to keep medical records in electronic form. In practice, however, many HSPs are not prepared to fulfil this obligation, with the infrastructure of many institutions being either poor or outdated (all the data mentioned below is current as of December 2019).

However, the level of IT infrastructure looks adequate: 95.97% of HSPs report that either all (56.89%) or the vast majority (29.55%) of rooms where medical files are being used have access to an IT network. Similarly, 90.29% of HSPs report that either all (65.58%) or the vast majority (24.71%) of their medical staff have access to a computer, while 82% of hospitals and 64% of outpatient clinics (including primary care clinics) report that they have the IT infrastructure that is necessary for storing patient medical files in electronic form.

At the same time, HIS, LIS, PACS, RIS and Medical Data Warehouse software are used by only 30% of HSPs. Over 90% of HSPs do not use any Medical Data Warehouse software. Over 73% of HSPs do not digitise their existing medical records and over 83% of HSPs have not implemented any digital services designed for other HSPs. About 50% of HSPs do not have a digital medical records repository (which would include file metadata enabling record search). Only 10% of HSPs record any type of patient consent in digital form, while 66% of HSPs share medical records with other HSPs only in paper form.

Another problem is the low quality of medical data produced by HSPs: data is often inconsistent, incomplete or out of date. This is due to both factual reasons (the foregoing problems with IT infrastructure) and legal reasons (an excessive number of acts and legal norms regulating the principles and standards of creating and accessing medical records, and at the same time the lack of sufficient unification of documentation inter-operability standards and their appropriate enforcement).

Only 30% of HSPs use the Polish National Implementation of the HL7 CDA standard that defines the syntax and semantics of electronic medical documents for the purpose of their exchange.

Additionally, public databases in which medical data is processed (see 2.2 Recent Regulatory Developments and 10.1 The Legal Relationship Between Digital Healthcare and Personal Health Information) are highly dispersed and there has accelerated this development.

There are no dedicated Polish regulations concerning implementation of IT upgrades. In the case of healthcare institutions' general requirements concerning safety of IT environment used to process patient data (such as the Act on Patients’ Rights and the Patient Ombudsman, the Act on Healthcare Services, the Act on the Information System in Health Care and their applicable implementing regulations) apply.

In the case of medical devices the obligation to implement necessary hardware upgrades/software updates forms a part of the manufacturer’s obligation to ensure product safety. These issues should be addressed in the manufacturer’s quality management system. The MDCG issued a dedicated Guidance on Cybersecurity for medical devices (2019-16 Rev.1).

The Polish draft Act on quality in healthcare and patients’ safety aims to obligate HCPs to implement internal quality management systems which will also have an impact on the hardware upgrade/software update life cycle.

Digital health solutions can be protected by variety of IP rights, including patents, copyrights, or trade secrets. Patents may cover medical devices or their components, as well as (although less often in the case of digital health) substances and methods (except for treatment or diagnosis methods, even if performed by a device, eg, a remote diagnostic tool). Software, as such, is expressly excluded from patentability, even though it can support, or itself be, a digital health solution. The Polish Patent Office has also been reluctant to grant protection to computer-implemented inventions (deemed patentable elsewhere in Europe). However, this may change shortly as a result of the latest legislative changes.

Software solutions can be protected in Poland by copyright, just like any other works of authorship. Authorship of other beings, including AI, is discussed by academics and practitioners, but the opinion that, under current laws, it can only be human authorship that prevails. AI has not been recognised as an inventor under Polish patent laws.

Digital health solutions may be protected as trade secrets, which are defined as technical, technological, or organisational information that has economic value, and remains confidential (due to the acts of diligence taken by its holder).

Structured databases are subject to a specific, sui generis IP right in Poland (and in the EU), whereas raw/unstructured data does not, as such, fall into any general protection regime.

An obvious advantage of any registered IP right (patents, trademarks, designs) is an ease of proving their existence and scope. On the other hand, non-registration rights, such as copyrights, database rights, or trade secrets, always require additional action to prove that the owner is entitled thereto. The case-law of Polish courts emphasises, eg, in trade secrets cases, that the business must be able to prove not only that certain information is confidential, but that real measures were taken to keep it confidential (otherwise protection will be denied). On the other hand, the great advantage of rights as trade secrets is the lack of the need to register and longer (in some cases unlimited in time) protection.

Licensing structures usually depend on the nature of a product. Where it constitutes software downloadable to the user’s device, a license agreement is usually offered. Whereas for web applications, the SaaS (or similar) models are used. The licenses are also provided along with the devices delivered to customers/patients if they implement more complex technologies. For simple tools (assuming they are protected by any IP), rights of a legal purchaser (including, so called, legitimate user of software) usually suffice.

Involving academic institutions in developing an innovation usually requires the establishment of rules of allocating the resulting IP rights. Under Polish law, the rights are vested in the authors/inventors. This rule may be contractually modified, including between inventors and their employers and/or between universities and healthcare institutions. The arrangements between universities and other institutions usually set the rules of the final allocation of rights in a proportion that is supposed to reflect the role or expenditures of each party in creating IP rights.

Private-sector companies involved in developing the innovation are usually keen to acquire all the respective rights. However, other scenarios are available (eg, the split of IP rights between a private entity and a university's special-purpose vehicle). Different rules may apply in the case of publicly financed research and development. The public sponsor may impose specific rules of allocation of these rights among beneficiaries.

The general principle is that, by default, IP rights are vested in the authors/inventors in proportion to their actual contributions. As the actual proportions of these contributions may be challenging to be unequivocally established in practice, the division of shares in the rights is usually predetermined at the very beginning of the co-operation. However, the actual contributions may differ quite significantly from those which were assumed and so the need to modify the prior arrangements may arise. Hence, the best practice in collaborative developments is to define the pre-established split of shares in the IP rights but also the principles of their modification (and, if necessary, respective compensations) if the contributions turn out to differ significantly from the assumptions.

Liability of HSPs and Doctors

HSPs and doctors will be liable for patient injury, either contractually or tortiously (depending on whether the healthcare services are publicly financed, whether the patient has a contract directly with the doctor or the doctor is employed by the HSP). In both cases, liability is based on fault, but under contractual liability there is an inverted burden of proof when it comes to fault, so it is for the respondent to establish that the injury is a result of circumstances for which they are not at fault.

If the HSP or the doctor is found liable, they may have recourse claims towards the digital health-technology producers or service-providers, if their products caused or contributed to the injury.

Healthcare professionals might also be subject to criminal liability. Criminal liability can result, for example, from performing a procedure without the patient's consent or patient death or injury resulting from the healthcare professionals' culpable actions.

Liability of Producers and Service-Providers

Digital health technology producers or service-providers can be liable on their own for patient injury caused by their product under the product liability regime (the Polish rules are an implementation of the EU Product Liability Directive).

The definition of a product has been interpreted broadly and covers not only physical products such as medical devices, but also the software which is part of those products (although stand-alone software, ie, software which is not incorporated in a physical product, would not be considered as falling under the defective product liability regime).

The producer is subject to strict liability (irrespective of fault). The injured party is entitled to compensation if they prove the injury, the defect in the product and the causal link between the product being defective and the injury.

A product is defective if, at the time of placing it on the market, it does not provide the safety that the public is entitled to expect, taking into account the use to which it could reasonably be expected to be put, the general state of knowledge at the time, and the way it was presented to its users. A product cannot be considered as defective just because an improved version is subsequently introduced onto the market.

The producer will not be liable inter alia if, at the time when the product was put into circulation the state of scientific and technical knowledge was not such as to enable the existence of the defect to be discovered.

Digital health technology suppliers can be also liable on their own for patient injury caused by their products based on general tort law. In this case, beside the injury and the causal link, the supplier’s fault needs to be established as well.

Liability for Using AI/ML

Although the product liability regime works well when it comes to the majority of digital health technologies, its rules may not adequately take into account the specific circumstances associated with developing, training, validating and using AI/ML algorithms. Because of this, new rules of liability for AI/ML are currently under discussion both at the national and European level (see 16.1 Hot Topics That May Impact Digital Healthcare in the Future). 

Digital health-technology producers or service-providers are contractually liable towards their clients. Although contractual liability as a general rule is based on fault, the precise regulation of the scope and character of the parties’ obligations is of the utmost importance. Agreement should specify each party’s obligations regarding IT security, data security, data-sharing, employee training, etc. In appropriate cases, SLAs should be concluded.

If the vendors process patient personal data as a result of supplying the technology to the HSP, appropriate data processing agreements should be concluded, which should cover issues of data security, sharing information on data breaches, parties’ co-operation in the case of data breaches, corrective and preventive actions (CAPAs) and the admissibility of anonymising data for secondary use, etc.

The administrative fines that the data protection authority can impose on public hospitals are significantly lower than the ones defined in the GDPR (PLN100,000), so any indemnity clauses in contracts with public hospitals should take that into account.

Liability for AI/ML and the impact of AI/ML systems on HSP and doctor liability, will definitely be areas of interesting developments in the future. AI/MLs being regarded as more effective than humans will have a profound impact on issues of standard of care, a doctor’s due diligence and issues such as whether following AI/ML recommendations can be an exculpatory circumstance.

New rules of liability for AI/ML are currently under discussion, both at the national and European level. On 20 October 2020 the European Parliament passed a resolution with recommendations on a civil liability regime for AI.

Under the proposition, any operator of a high-risk AI-system would be strictly liable (irrespective of fault) for any harm or damage that was caused by a physical or virtual activity, device or process driven by that AI-system.

The term “operator” would cover both "front-end operators"; ie, anyone who exercises a degree of control over a risk connected with the operation and functioning of the AI system and benefits from its operation; and "back-end operators"; ie, anyone who, on a continuous basis, defines the features of the technology and provides data and an essential back-end support service and, therefore, also exercises a degree of control over the risk connected with the operation and functioning of the AI-system.

Liberalising the rules of access to medical data for research and development purposes is being discussed and there is likely to be some important changes. Some forms of data trusts (eg, foundations, associations representing patients and other stakeholders) may be established.

This will also raise the issue of establishing laws or guidelines on how medical data should be pseudonymised or anonymised in order to minimise the risk of re-identification and the rules of handling non-personal medical data (which is not protected under GDPR). On 3 May 2022, the EU published a Proposal for the European health data space, which will have a significant impact on these issues.

Access to more high-quality medical data will make Value-Based Healthcare projects more feasible – for example, establishing risk-sharing schemes in reimbursement decisions, which connect payments between the National Health Fund and the reimbursement applicant with the product’s therapeutical efficacy (based on data obtained, eg, from public registers).