The digital healthcare sector in the Kingdom of Saudi Arabia (the “Kingdom”, or KSA) is constantly developing to address the Kingdom’s response to health and related economic and social impacts. Telehealth/telemedicine is a good example of the use of digital healthcare and digital medicine, which entails the use of technology such as electronic information and telecommunication to provide digital solutions for healthcare institutions and patients. The capability of such platforms extends to monitoring patient health and subsequently facilitating patients obtaining medical advice based on the results.

Therefore, the Ministry of Health (MoH) is seeking to develop telemedicine as part of its desire to advance the field of digital health in Saudi Arabia and increase awareness and regulatory guidance on remote diagnosis and examination services through advanced electronic means. The MoH has implemented several additional e-health and electronic information platforms to promote and provide healthcare and telemedicine, which will be explained below.

According to the Digital Health Strategy update issued by the MoH, digital health is defined as “the cost effective and secure use of information and communication technologies and the associated cultural change it induces, to help people manage their health and wellbeing and transform the nature of health care delivery”. The MoH has issued decisions and guidelines to regulate the use of telehealth in the KSA, such as the Regulation Governing Telehealth (telemedicine) issued by the National Health Information Centre (NHIC) (the “Telemedicine Regulations”).

The Telemedicine Regulations define telemedicine as “a remote medical practice using information and communication technology”, and refer to the interaction between a healthcare practitioner and patient. It is further explained that the MoH is working to create a programme regarding e-health that is a "safe, efficient health system, based on the care centred on a patient, standard-oriented, and supported by the e-health". The MoH defines e-health as the usage of information technology (IT) and digital communication as a means of providing services such as diagnoses, examinations, medical assessments and communications between patients and professional health practitioners.

As part of the Kingdom’s Vision 2030, the MoH aims to improve healthcare through IT and digital transformation. The use of digital technologies has enabled remote monitoring services and artificial intelligence (AI) systems to perform virtual appointments and consultations. The implementation of E-health systems began to arise throughout several hospitals and organisations. Such key systems include the following.

Telemedicine

Telemedicine is the use of IT and electronic communication platforms to connect patients with healthcare professionals using electronic communication systems. The benefits of telemedicine involve remote examination, analysing health results and forwarding the results to the appropriate authorities, and other medical applications that can be performed using computers and other types of communication systems.

Electronic Medical Record (EMR)

An EMR is an electronic healthcare information record that stores patient information. It helps store and analyse medical records from services rendered to patients in different departments. The EMR system has been implemented across hospitals in the region for patients and medical professionals to access data from remote premises.

Picture Archiving and Communication Systems (PACS)

The objective of PACS is to replace manual medical imaging systems that depend on radiological films with digital systems that allow a multitude of healthcare specialists to examine digital images through online networks. This overcomes problems relating to lost images, which would reduce the time and cost of taking additional images multiple times.

Emergency Response Plan (ERP)

The ERP is a set of guidelines for individuals to follow during unforeseen events or in the case of emergencies.

Computerised Provider Order Entry (CPOE)

This system aims to reduce the occurrence of medication errors and has been recently implemented in hospitals and healthcare facilities in the Kingdom. CPOE systems allow health institutions and practitioners to electronically enter medical information and orders for patient access and reference.

Patient Portals

Various hospitals have begun to initiate the use of patient portals, which are secure websites that allow patients to access personal health information wherever they are, provided they have access to the internet. Patients may also view lab results, medications, allergies and other medical options.

Mobile Applications

Mobile applications offer prevention services, self-management and educational tools. The MoH has introduced a number of applications in its mission to improve e-healthcare systems. Further examples of such e-health mobile applications include the following.

• Sehaty, which was introduced to allow individuals to book appointments in the closest COVID-19 testing location. Users also have the ability to view their results within 24 hours of taking the test in the same app.
• Tetamman was also launched, by the MoH, with the purpose of monitoring individuals who were asked to isolate, due to being infected with the virus or being in contact with another person who was infected. There are other services offered by Tetamman, such as contacting healthcare practitioners regarding a follow-up of their tests or to book a re-test when needed.
• Tabaud was developed by the National Information Centre (NIC) and the Saudi Arabia Data Artificial Intelligence Authority (SDAIA), and was then launched by the MoH. The Tabaud application provides services that include:
1. notifying users if they have been in contact with a person infected with COVID-19;
2. providing aid to users who have recently tested positive or users who have been in contact with an infected person by sending their details to the MoH, which then provides them with the necessary guides and medical support in accordance with the severity of their case; and
3. giving the opportunity to users who have tested positive to voluntarily share their test results with people they have been in contact with in the past 14 days.
• Mawid is an e-service booking application that was established by the MoH that allows users to book and/or cancel appointments at different healthcare centres within the KSA.
• Tawakkalna was introduced by the SDAIA and approved by the MoH with the aim of supporting the efforts to limit the spread of COVID-19. The application reflects the medical condition of users and whether they received any doses of the COVID-19 vaccine, in addition to the number of such doses, including booster shots. Depending on the vaccine status, users are then issued an immunity passport that can be used in various countries around the world and acts as proof of a valid COVID-19 vaccination.

The emerging issues arising from the growth of digital health relate to various security and data protection-related concerns. Overall, digital health providers are required to comply with the commercially adopted standards of medical care, and regulations relating to medical devices, data privacy and security. Some of the key challenges are described below.

Antitrust, Abuse and Fraud

Considering the expansion of digital health operations in the Kingdom, service providers must comply with the Saudi Anti-Fraud Regulations to minimise the risk of fraud and abuse. Digital health companies must implement enforcement and monitoring strategies to minimise such risks associated with data sharing activities and data breaches.

Technological and Professional Standards

As more digital health devices are adopted by employers and consumers, there is a need to employ qualified health professionals and technology specialists who can meet the developing e-health standards. This is to ensure that employees in the industry comply with the current commercial standards to limit any potential liability. Technological difficulties may arise with regard to security and database management due to the use of electronic means instead of paper medical records. Different hospitals follow different policies regarding the usage of e-health systems. Therefore, inaccurate records or damage to patient and medical information may prove to be challenging as there is a high degree of dependence by medical professionals on the use of reliable records.

Confidentiality and Data Privacy

Due to the sensitive nature of patient information and data, the protection of privacy, security and confidentiality are significant and must be maintained and safeguarded. Healthcare practitioners or institutions dealing with such sensitive information should consider seeking consent, notifying potential data subjects of third-party use of information and a breach of any data records. The growing use of online data processing and storage of patient health records through different service providers results in challenges related to professional training and accuracy of information, as these issues affect potential liability.

Product Liability

Product liability may be imposed on any data provider, software developer, device manufacturer, or the company commercialising the product, for involvement in any product defects that resulted in misdiagnosis or injuries to patients. Disciplinary actions would be applied in accordance with the Law of Practicing Healthcare Professions and the Consumer Protection Association of Saudi Arabia, which aims to protect and safeguard all consumer rights.

Due to the effects of the COVID-19 pandemic, the need for, and use of, digital health increased rapidly. As such, the implementation of digital health has faced barriers due to heightened legal scrutiny from regulators in the Kingdom. Nonetheless, the challenges posed by the rise of digital health during the pandemic led medical professionals to adopt new technology health advancements and telemedicine practice.

The implementation of the Digital Health Strategy by the MoH provided for easier patient access to medical consultations at cost-effective rates, distant monitoring and health information management systems, which have transformed the method of providing healthcare services to patients in the KSA. The Digital Health Strategy facilitated maintaining low COVID-19 infection rates through platforms such as Tawakkalna, Sehhaty, Tetammen and EMR, as explained in 1.3 New Technologies.

The MoH and the Saudi Food and Drug Authority (SFDA) are the main regulatory bodies overseeing the healthcare industry in the Kingdom. The MoH is the authority responsible for supervising the management, financing and organisation of the healthcare industry. This includes implementing health policies and guidelines, and permitting the use of e-health apps. The MoH regulates with the aim of improving digital healthcare as part of the KSA’s Vision 2030, approving numerous telemedicine and digital healthcare technology uses.

Furthermore, the SFDA regulates three primary industries in the Kingdom, including food, drugs (medicine) and medical devices. Companies or pharmacies must seek the SFDA’s approval for carrying out activities relating to medical devices, medical supplements, healthcare products and food. The SFDA also oversees the overall legal framework to authorise medical devices used in the Kingdom, in which manufacturers seeking to supply medical devices in the KSA must obtain the requisite licensing and approvals from the SFDA.

A key regulatory development is the recent public consultation and release of the draft Personal Data Protection Law (PDPL), which is intended to be adopted by all entities within the Kingdom in March 2023.

The draft PDPL protects the use of personal data; ie, any information, in whatever form, in which a person is directly or indirectly identified. The draft PDPL would further provide for protection on patient data processed through digital devices, which previously lacked clear regulatory guidance under the current laws. The draft PDPL has differentiated the terms "personal information" and "sensitive information", in which sensitive information includes health data; ie, all personal data relating to an individual’s health or relating to a health service such as hospitalisation, medication and treatments.

Additionally, the draft PDPL restricts access to health data, including medical records, to the fewest possible members of staff, as well as limiting the involvement of third parties to the required scope of medical service. As such, it is important to note that the PDPL (when in force) would impose further obligations relating to the security of personal and sensitive data on digital health companies, while also imposing potential penalties for a breach of a patient’s personal data.

The SDAIA is encouraging all entities to participate in any future initiatives to enhance and amend the law based on public responses.

The Law of Practicing Healthcare Professions outlines the obligations for healthcare professionals in relation to professional responsibility, duties and necessary licences. It also imposes penalties and disciplinary actions for professional violations, including issuing warnings, fines of up to SAR10,000 and cancellation of the healthcare professional's licence. The Law of Practicing Healthcare Professions further imposes civil liability, whereby patients are entitled to claim damages and can be indemnified in the case of a breach of duty or malpractice by the healthcare professional.

Additionally, the draft PDPL stipulates criminal and administrative sanctions for the disclosure of sensitive data and breaches of cross-border data transfer restrictions. The penalties and fines range from approximately SAR1 million to SAR5 million depending on the severity of the violation, with further prospects of the penalty increasing for any repeat offenders.

The Telecommunications Law specifies sanctions in the event of a breach of privacy within the telecommunications sector.

The Cybersecurity Law imposes fines of up to SAR3,000,000 for disclosing or providing unauthorised access to private data, which extends to distributing, leaking or destroying such data. Further criminal sanctions may include imprisonment for repeated violations.

There are many concerns that relate to the advancements in healthcare services and delivery of such services, specifically with regard to the use of mobile applications and digital health platforms that permit the monitoring and collection of personal data to administer and regulate medication schedules, track personal health, and notify of any abnormalities. As such, the concept of digital health also carries with it security and data breach concerns and such concerns have resulted in extensive legal regulations.

The importance of personal data security and confidentiality was recognised by the SDAIA and reflected in the draft PDPL, which stated it would apply to all sectors to further safeguard and ensure the security of personal data processed in the KSA. Additionally, the Penal Law on Dissemination and Disclosure of Confidential Documents and Information prohibits an individual from jeopardising the safety and security of the Kingdom by disclosing confidential information. Additional laws protecting the use of personal data include:

• the Saudi Anti-Cyber Crime Law (regulated by the Ministry of Communications and Information Technology);
• the Saudi Telecommunications Law (regulated by the Communications and Information Technology Commission); and
• the E-Commerce Law (regulated by the Ministry of Commerce).

Generally, diagnostic care is offered to treat existing medical concerns, whereas preventative care is the method of detecting health concerns prior to any symptoms developing. Regulatory schemes in the KSA do not differentiate between the two types; however, there are healthcare institutions and systems implemented to oversee the healthcare services offered. This includes the concept of primary healthcare (PHC) in line with the KSA’s Vision 2030 goals.

The PHC initiative was adopted in an attempt to improve health education and disease prevention, in addition to the promotion of healthier lifestyles. The services offered by PHC include:

• controlling infectious diseases through immunisation;
• child and maternity health;
• basic dental services;
• chronic disease management;
• essential medications; and
• health education.

Primary care services are provided through a network of primary healthcare centres (PHCCs), which are easily accessible and have satisfactory standards of infrastructure and equipment, with the focus of improving the health sector, and several medical laboratories and diagnostic centres have emerged within the Kingdom in recent years.

As a result of the COVID-19 pandemic, there is an increased use of preventative care to address medical concerns and limit any negative impact at an early stage. In addition, the Kingdom’s Vision 2030 has resulted in implementing the Health Sector Transformation Program to ensure the development of medical services, with increased awareness of adopting more advanced methods and devices to restructure the current industry and provide a more effective and integrated system that contributes to the improvement of overall health in the Kingdom.

Moreover, the Saudi Central Bank (SAMA) governs and monitors the insurance sector in the KSA, including medical insurance, which covers medical treatment costs, medications and services. The concept of PHC is relatively new in the Kingdom, but with the proposal of the Model of Care (which was introduced as part of the Kingdom’s Vision 2030), the MoH focused on upgrading PHC systems to improve the Kingdom’s healthcare development with regard to its methods, efficiency and technology. The MoH further implemented strategies such as raising awareness of PHC, allowing easier access by online appointment bookings, and introducing new automated, standardised systems to make PHCCs more efficient.

Accordingly, the recent developments in the healthcare sector in the Kingdom have resulted in the advancement of the technological capabilities of healthcare providers and allowed healthcare systems to have extensive coverage throughout all regions in the Kingdom, as well as improving the quality standards when providing such healthcare services. Perhaps the most notable accelaration of development in the healthcare sector was due to the COVID-19 pandemic, which required the adoption of advanced technology, lower costs, and an increase in the regulatory development with respect to healthcare and the use of advanced technology to prevent, and respond to, COVID-19.

The use of wellness and fitness programmes prompts individuals to provide data through online health surveys, transferring genetic material, and the use of fitness trackers, in which such personal information is used to analyse personal life developments, with the aim of managing and improving health and well-being. Such use of personal data would be subject to the PDPL (once implemented) with regard to confidentiality, security and storage of individuals’ personal data and information.

The legal system in Saudi Arabia is uncodified and based on Islamic sharia, and does not recognise "judicial precedent". As such, laws in the KSA are developed and enacted pursuant to legislation (such as royal decrees, royal orders and ministerial resolutions) as opposed to laws being developed by the KSA courts.

Regulations that relate to healthcare include:

• the Private Health Institutions Law issued by Royal Decree No M/40 dated 3/11/1423H (2002G);
• the Executive Regulations of the Private Health Institutions Law, issued by Ministerial Decree 683151 dated 10/3/1436H (2015G);
• the Executive Regulations of the Health Practice Law, issued by Royal Decree No M/59 dated 4/11/1426H (2005G); and
• the Legal Regulations for Telehealth Services, issued by Royal Order (No 47455) on 9/8/1441 (2021G).

In line with the KSA’s Vision 2030 goals, the Kingdom has increased the usage of PHCCs around the KSA, which is resulting in the development of new regulations from various sectors. Such sectors involve SAMA as the regulator of the insurance sector. Furthermore, due to the increase of PHC usage, the development of the healthcare methods, devices and technology used is accelerating. An example of this is the increase in the use of telehealth systems/devices, which are being increasingly implemented within PHC services, such as communication channels and already-existing devices and platforms that promote telehealth usage with respect to PHC.

The SFDA regulates and specifies the types of medical devices that are allowed to be introduced into the Saudi market. Companies seeking to sell specific types of medical devices will have to obtain licences and approvals from the SFDA, including representatives who act on behalf of foreign manufacturers.

The SFDA has launched the Medical Devices National Registry (MDNR) to obtain the profile of the medical devices that are allowed in the KSA, and establish a database of all manufacturers, companies and suppliers.

The SFDA further introduced the National Centre for Medical Devices Reporting (NCMDR) to record, analyse and manage medical devices. The NCMDR’s main objective is to prevent repetition of adverse events. Authorised representatives, manufacturers, importers, distributors and users are expected to inform the SFDA of any adverse events that took place and that they have been made aware of.

In addition, the SFDA introduced a Medical Device Establishment Licensing System for institutions involved with the importation and/or distribution of medical devices in the Saudi market. Medical devices must be registered in the MDNR to ensure that they are able to appropriately manage the imported and/or distributed devices in relation to storage, transport, traceability and installation.

Therefore, companies seeking to enter the market and introduce new technologies must comply with the aforementioned SFDA procedures and guidelines while also considering, and complying with, the relevant licensing requirements when promoting the use of such technologies in the healthcare sector in the KSA.

The internet of medical things (IoMT) includes devices and applications that are designed to enable healthcare providers to communicate and provide healthcare services through digital platforms and devices via the internet. The advancement of the IoMT facilitates the further development of monitoring patient health for medical assessments, results and training purposes. Applications such as Sehha, which has been introduced by the MoH, allow medical practitioners to virtually communicate with users for diagnoses and treatment for a range of medical issues using the internet. This is in line with a variety of recently developed technologies that are used to communicate with medical professionals through video, audio and written means. The developments allow the updating of user data in relation to examination results, and the provision of prescriptions and necessary medical advice for homecare services.

Moreover, as previously mentioned, the MoH has recently approved and launched technology applications that utilise the IoMT for the purposes of monitoring COVID-19 cases and user health status, such as Sehaty, Tetmmen, Tabaud, Tawakkalna and Mawid, which were described in 1.3 New Technologies. Considering the usage and benefit of such applications, the digital health solutions deployed will further advance service options to shift the current health infrastructure and introduce technological innovations in the Kingdom using the IoMT.

The Law of Practicing Healthcare Professions imposes civil, criminal and disciplinary liability for malpractice, professional violations and criminal violations.

Civil Liability

Article 27 of the Law of Practicing Healthcare Professions imposes civil liability on healthcare professionals for errors in treatment, lack of knowledge or skills, inadequate monitoring or supervision, or failure to attend patient needs. Such civil liability cannot be limited or excluded.

Criminal Liability

Article 28 specifies that providing false information, practising healthcare without the appropriate licences, or neglecting treatment may result in imprisonment for up to six months or a fine of up to SAR100,000, whichever is applicable to the case.

Disciplinary Liability

Article 32 states the violations relating to a practitioner who defaults in carrying out their duty or violates their code of conduct and/or ethics may be subject to disciplinary action, including a warning, a fine of up to SAR10,000 or the cancellation of their medical licence.

From the practitioner’s perspective, the Kingdom has implemented insurance policies in line with the regulations of the Saudi Commission for Health Specialities that provide protection against financial consequences arising out of potential adverse outcomes against healthcare professionals.

Technological developments and the new generation of the IoMT are significant in acting as interactive tools between healthcare practitioners, patients and healthcare service providers. The data sharing nature of such tools poses cybersecurity risks in terms of unauthorised access and breaches to privacy, in that there is an increased risk of hacking threats and breaches to IT infrastructures as a result of recent advancements and reliance on the IoMT. For this reason, digital technology companies are urged to ensure they have solid security policies in place and clear data protection provisions in their contractual arrangements.

The Communications and Information Technology Commission (CITC) has also urged companies to take further security procedures with respect to internet of things solutions and to mitigate cybersecurity risks by incorporating end-to-end encryption, firewall barriers and extensive automation to enhance cybersecurity and avoid unforeseen data leaks and data breaches.

The MoH has recently approved the charter of the NHIC, which, in parallel with the MoH, will regulate and supervise healthcare services and healthcare institutions. The MoH's decision will be enacted in successive stages in which holding companies will be established to implement a set of digital health programmes and virtual medical care services to expand digital health, while the MoH will oversee regulatory preparations to cover the scope of any such advancements.

The SFDA is the body that regulates software that would fall under the definition of a medical device. Article 1 of the Medical Device Interim Regulations defines a medical device as: “any instrument, apparatus, implement, machine, appliance, implant, in vitro-reagent or calibrator, software, material, or other similar products or related article which: (i) is intended by the manufacturer to be used, alone, or in combination of diagnosis, prevention, or monitoring, and (ii) which does not achieve its intended action in or on the body by pharmaceutical means but which may be assisted in its intended function by such means.”

The SFDA further established the National Centre for Medical Devices Reporting to manage and record adverse events that may occur from medical devices. Furthermore, in 2021, the SFDA issued guidance on the Review and Approval of Data Based Medical Devices and Artificial Intelligence, in which it outlines the requirements to use AI medical devices. The requirements stipulate the need for digital companies to test AI patterns and monitor the results when predicting or diagnosing diseases. The SFDA guidance further provides information on the criteria for a software product as a medical device, risk classification, standards of the software, and compliance with registration and approval requirements. The guidance applies to software such as computer-aided detection/diagnosis and clinical decision supporting software. The scope extends to hardware-configured AI software and standalone software types of medical devices that apply machine learning AI technology that predicts, manages and diagnoses diseases by analysing medical data.

Moreover, the classification of medical devices is based on the degree of potential risk and the intended use of the medical device according to the Guidance on Requirements for Listing and Medical Device Marketing Authorization.

As explained under 1.2 Regulatory Definition, the MoH and the NHIC have approved the Regulation Governing Telehealth. The NHIC also launched the Saudi Telehealth Network to remotely connect various healthcare facilities with PHCCs via the telehealth systems. Further initiatives offered by telehealth and telemedicine efforts include remote access to appointments and qualified health professionals. The role of telehealth/telemedicine in the KSA is to develop the standard and quality of healthcare services provided in the Kingdom in a faster and more cost-efficient manner, regardless of the size of the healthcare facility or the geographical location thereof.

The regulatory environment in the Kingdom has been evolving to encourage organisation and efficiency in offering digital health solutions in response to COVID-19.

Among the regulatory digital platforms that were introduced during the COVID-19 pandemic, Tawakkalna has become prevalent to access public spaces and record users' health status in accordance with the MoH requirements. In terms of the use of online platforms for business purposes, such platforms are required to disclose the extent to which data is recorded and offer authentication and encryption of data to comply with data privacy regulations.

Digital platforms such as Tawakkalna are to be permanent fixtures in the KSA as they include digital services such as a virtual health passport, a virtual national ID, a virtual driving licence, insurance, an emergency ambulance request and an online organ donation platform.

The Ministry of Finance and SAMA oversee financial payment processing in Saudi Arabia. The online payment (and potential reimbursement) of telehealth services can be seen as a new challenge when compared to classic in-person payments. Generally, in the healthcare sector, there is more than one party involved in the payment process, including insurance companies, the patient, the relevant government authority and the telehealth company. Payment consistency can therefore vary between in-person consultations and telemedicine and will therefore depend on the payment processing system implemented by the telehealth company.

The IoMT is facilitating the monitoring of patients and enabling healthcare practitioners to conduct early interventions through diagnosis tools. The IoMT therefore serves healthcare providers in reducing costs and enhancing their proficiency. Sehha, which is an e-health mobile application, was launched to further support and increase the services provided as it is linked to over 100 hospitals within the Kingdom. The application incorporates the latest technology emerging in this sector and further contributes to the investment in medical devices and reports, as well as the training of newly qualified healthcare practitioners.

Additional technologies emerging in this sector include wearables that help monitor the health, fitness and wellness of a patient and provide an overview on an individual’s sleep pattern and heart rate. Such wearable devices include Fitbits and smart watches, which are designed to collect the personal data of the user’s personal health and fitness.

Telemedicine is another example of the use of the IoMT in the KSA, whereby telemedicine allows medical professionals to communicate with patients through digital devices and videoconferencing, using the internet to remotely monitor the patient and provide remote medical consultations.

The regulatory issues associated with digital assistants (such as Alexa) include access to patient data, misdiagnosis, variations in quality and security concerns. Given that virtual assistants and other applications related to AI would be exposed to processing personal data, such applications would therefore fall under the scope of the draft PDPL, under which the use of such devices in the healthcare sector is required to comply with the required data security and data storage obligations.

5G networks facilitate the implementation of augmented reality surgery, post-surgery care, home-surgery care, monitoring patients remotely and robotic-assisted surgery. The demand for 5G adoption is increasing as part of the KSA’s Health Vision to further enable the latest generation of technology to be utilised in the latest medical devices. Key contractual considerations would include details of operation, licence fees and standards of technical conditions and quality with respect to entering into contractual agreements with telecommunication companies for the use and utilisation of 5G for healthcare facilities and their medical devices.

The key legal issues that would arise in sharing personal health data for clinical purposes are confidentiality and the disclosure of personal information. Generally, disclosure would only be permitted for limited purposes for the safety of the patient. An exception for the disclosing party would be the transfer or processing of health information arising due to the need to preserve health, combat disease, or satisfy a requirement in the Kingdom’s interest. The draft PDPL imposes restrictions that would limit the role of de-identification and aggregation for the purposes of reducing precise data due to the monitoring terms involved.

In addition, a key development in the implementation of the PDPL is the rules concerning consent, as it is now recognised as the primary basis to carry out any means of processing for all types of data, whereby the SDAIA is the responsible authority for providing registration and fees to all data controllers dealing with personal data in accordance with Article 32 of the draft PDPL. The SDAIA will be the main regulatory authority for at least two years, upon which SAMA and the CITC will be the governing bodies responsible for maintaining such registrations and fees.

Please refer to 5.2 Legal Implications with respect to liability for any data breach or unauthorised use or access to personal health information.

The following matters are subject to review and approval by the SFDA when using AI in the healthcare sector:

• security standards;
• cloud server environment;
• technical specifications;
• performance and clinical efficiency;
• protection of sensitive data; and
• security requirements.

Risks may arise if medical information is transmitted through cloud technology that may modify data or damage information depending on the security rights. Therefore, regulations issued by the SFDA impose security requirements for the use of a network to include further encryption and proper authentication. Other issues include clinical accuracy where several studies are conducted on the sample data obtained from the technology. The draft PDPL facilitates the protection of confidential information and sensitive data, which would apply to medical big data that is being processed through machine learning and AI-based medical devices used by medical and healthcare institutions.

The current regulatory approach to the use of AI and machine learning data is to constantly review current trends and future products to ensure that any medical device incorporating AI is properly managed to protect patient data.

The Guidance on Review and Approval of Artificial Intelligence and Big Data based Medical Devices issued by the SFDA imposes provisions in relation to monitoring AI medical results and patterns to ensure that any services provided are completed with accuracy. It covers the scope of cloud computing technology, submission requirements for device approval, clinical validation, and further essential requirements when seeking to offer AI devices in the Saudi market. Clinical validation for AI-based medical devices is done through conducting a prospective study or a retrospective study with the applicable clinical trial procedure.

Legal and regulatory issues primarily consist of protection of personal information, obtaining the requisite approvals to efficiently provide digital healthcare technologies and ensuring the stability of the platform over time. Healthcare institutions and users should seek to clearly identify in any contractual arrangement the scope of expertise, licensing, data use and storage, IP use and IP rights in their contractual arrangements. The rights of use and ownership of such technology solution should be specified, along with the payment terms arranged at the outset. Further considerations include licensing or non-disclosure agreements depending on the scope of use and parties involved.

In consideration of the rapid growth of digital healthcare trends, digital health companies must constantly update their systems and/or devices to improve patient experience, quality and data protection standards in accordance with the applicable laws and regulations. Investments in digital transformation companies may also facilitate the ability to carry out such initiatives. Please also refer to 5.3 Cybersecurity and Data Protection with respect to the security procedures relating to IoMT solutions to mitigate cybersecurity risks and data privacy.

The following regulations are applicable with regard to the use of personal or sensitive data:

• the PDPL (which is currently in its draft form), which applies to the processing of data by any means, including data sharing and data storage;
• the Law of Practising Healthcare Professions issued under Royal Decree No M/59 dated 04/11/1426H, which sets out the duties and responsibilities of healthcare professionals, healthcare licensing requirements and the different liabilities imposed on healthcare professionals;
• the Saudi Health Information Exchange Policies issued on 21/04/2016, which aims to ensure the confidentiality of personal health data being shared and exchanged;
• the Penal Law on Dissemination and Disclosure of Confidential Documents/Information issued by Royal Decree No 16913/B dated 10/5/1433;
• the Anti-Cyber Crime Law issued on 03/08/1428 H (03/27/2007);
• the Document Records and Archives Law issued by Royal Decree M/54 dated 23/10/1409H; and
• the Document Archiving Regulations issued by Royal Decree 7/1379/M dated 21/7/1416H.

Additionally, the Law of Practising Healthcare Professions imposes an obligation on all health practitioners to protect patients’ data that they become aware of, except in cases where patients’ written approval is obtained.

Patent Protection

Patent protection is governed by the Patents, Layout Designs and Integrated Circuits, Plant Varieties and Industrial Designs Law, and its Implementing Regulations. The scope of patent protection relates to a group of integrated parts that form a single invention concept or a single invention. Inventions include any new methods of manufacture, improvement, and any new article including a product or a process. The scope of patent protection (which lasts for 20 years from issuance of the patent) extends to medical devices that have been created to work in co-operation with devices created for healthcare (including telehealth or telemedicine) purposes, including wearable devices such as smartwatches and Fitbits.

Copyright Protection

The Saudi Copyright Law governs the scope of copyright protection. This covers a work of authorship produced, published, displayed or performed for the first time within the Kingdom. The protection extends to copyrighted work included in treaties of international agreements to which the Kingdom is a party, such as the Berne Convention for the Protection of Literary and Artistic Works. The scope of copyright protection extends to medical mobile applications such as Tawakkalna and digital health products such as EMRs, which are subject to copyright protection in terms of the software and its coding. The duration of such copyright protection lasts for 50 years after the death of the author/creator.

Trade Secret Protection

The Regulations for the Protection of Confidential Commercial vaguely defines trade secrets as information not known in its final form or where the information is not easily obtainable by those who work in the same business. Protection of trade secrets extends to protect information of commercial value so long as the rightful owner takes reasonable measures to maintain its confidentiality. What is important to note here is that the Regulations do not provide for a limit on protection duration, except for information submitted to an official body or competent authority for the purpose of approval – ie, the marketing of drugs or for chemical substances used in chemical agricultural products – in which case, a minimum protection period of five years will apply.

The legal framework governing intellectual property in the Kingdom extends to protect different elements in relation to innovative products. However, there are many advantages and disadvantages that health institutions must be aware of. Such associated advantages include enhancing healthcare institutions’ value and competitive edge by protecting their name, brands and inventions, which also helps with the marketing of the medical devices and products. It is important to note that disadvantages arise in the costs associated with such protection and the potential difficulty in obtaining certain patents with complex products that involve several complicated processes, methods and designs. The legal framework governing IP is further described in 14.1 Scope of Protection.

Moreover, given that the notion of judicial precedent is not recognised in the KSA, the principles of sharia would apply with respect to IP protection in the absence of specific regulatory guidance.

Considerations for contractual licensing structures related to intellectual property include IP usage rights and third-party risks. The main licensing structures are exclusive or non-exclusive rights. Exclusive licensing restricts any third parties from having such IP rights, whereas non-exclusive licences allow the licensor to further exploit the IP and grant similar IP rights to third parties and other licensees to use the same IP granted to the initial licensee.

It is therefore important to assess any agreements and licences required, as well as clarify the ownership and usage rights of any IP. In addition, digital health companies should ensure that any potential inventions are confidential until any design or patent filing is obtained to ensure such inventions are appropriately protected.

The current legal framework in the KSA does not directly address the allocation of IP rights related to research for academic institutions, as such IP rights are generally identified in the contractual arrangements. Such IP rights and obligations would stipulate that any patent, copyright, trade secret or trade mark created will be considered the property of the physician and/or inventor or university and/or institution. It is usually the university and/or healthcare institution that retains ownership over any such research, invention or technology developed for it by virtue of the commercial or employment arrangement between it and the physician and/or inventor.

Contractual arrangements should address any third-party or joint rights and the procedure of establishing ownership of intellectual property during the phases of development of any digital health device or product throughout the term of the contractual arrangement. Important terms to include in such arrangements are ownership, usage rights, exclusivity rights, scope and duration of the licence rights, warranties and indemnities, and confidentiality. This will set out clear rights and obligations of all parties involved to avoid disputes regarding the development and use of such IP inventions and authorship.

As discussed in 6.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technologies, the SFDA governs medical devices that incorporate data analytics, AI, machine learning and software to ensure that any devices on the market have been tested, analysed and approved prior to their use by practitioners and patients. This therefore limits liabilities for any potential malpractice in terms of damaged or false information transmitted and shared. The professional liability imposed on healthcare professionals includes civil liability, criminal liability and disciplinary liability, as explained in 5.2 Legal Implications.

Healthcare institutions may be subject to third-party liabilities in the event that there are inadequate risk management systems in place. Therefore, health institutions should seek to determine the potential risk involved and the risk tolerance levels. They should also classify vendors with respect to the risk criteria, conduct proper due diligence on the vendor and address any vendor risks that arise from such assessment.

In line with the KSA’s Vision 2030, the following trends are likely to grow and have a notable impact on digital health in the Kingdom.

Virtual and Augmented Reality

Virtual and augmented reality is expanding to offer practical uses within the healthcare sector beyond entertainment. Various healthcare providers are starting to use virtual reality (VR) for healthcare learning purposes such as using VR as training simulations. These training simulations provide medical students and healthcare practitioners in general with the new opportunity to practise complex procedures in a safe and controlled environment. Moreover, VR is also being used as distraction technology, to distract children during vaccinations and injections to reduce the pain and fear among children and more vulnerable patients.

Innovations in Disease Management

The outcome of COVID-19 created a need for healthcare companies to rapidly respond and develop innovations in the healthcare industry. This rapid change will facilitate and encourage healthcare providers to treat and monitor patients outside of the traditional healthcare premises.

Telehealth

As a result of the COVID-19 pandemic and the reduction of in-person consultations, digital health technologies such as the use of tablets, mobile phones and laptops have been, and will be, developed to facilitate more efficient healthcare services. This will impact digital health, with reduced contact, urgent care for chronic conditions and continuity of care with patients remotely.

IoMT

The growth of the IoMT has resulted in an increased use of monitors and wearable devices to meet a range of healthcare needs. The involvement of AI can further facilitate the development of wearable devices to accurately monitor patient conditions and reduce the requirement for in-person consultations.