In this briefing we cover recent regulatory developments for mobile health (mHealth) in the European Union and set out a summary of the current framework.

mHealth is a sub-segment of electronic health (eHealth) and covers medical and public health practice supported by mobile devices. It especially includes the use of mobile devices for health and well-being services and information purposes as well as mobile health applications. eHealth is part of the EU’s digital single market strategy which has recently been the subject of a midterm review.

In April 2014, the European Commission launched a public consultation alongside the Green Paper on mobile health to help identify the right way forward to unlock the potential of mHealth in the EU (Consultation). Together with the Green Paper, the Commission also published a Staff Working Document on the existing EU legal framework applicable to lifestyle and wellbeing apps.

This Consultation gathered inputs from interested stakeholders on barriers and issues related to the use of mHealth. It revealed that people often do not trust mHealth apps, such as those monitoring your health or giving health advice. Privacy and security of information as well as data quality were key issues identified in the Consultation.

Privacy Code of Conduct

Respondents considered that having users’ consent as well as strong privacy and security tools in place is a crucial issue in relation to mHealth apps. As a result, in March 2015 the European Commission launched an initiative to create an industry-led mHealth Privacy Code of Conduct (the Code).

The Code is targeted at app developers and its purpose is to foster justified trust among users of mHealth apps which process personal data that include data concerning health. The Code aims to provide easily understandable guidelines for app developers on how to respect and comply with EU data protection laws. On 7 June 2016, the Code was formally submitted to the Article 29 Data Protection Working Party (the WP29) for approval. Once the Code is approved it will be applied in practice: app developers can sign it on a voluntary basis, thereby committing to following its rules.

The WP29 has analysed the Code’s compliance with the Data Protection Directive and in light of the General Data Protection Regulation which will apply on 28 May 2018. On 10 April 2017 the WP29 set out in a letter its comments on the Code and identified areas for improvement. WP29 are currently of the opinion that the Code does not bring sufficient added value to the Data Protection Directive and provisions made in national law. The WP29 provided general comments on the Code and further observations on specific areas of the Code which need to be addressed in order to improve the quality, value and application of the Code.

Assessment Guidelines

In addition to privacy and security of information, data quality when linking mHealth apps to electronic health records for the effective uptake in clinical practice was identified as a key issue by the Consultation. It was understood that health and safety risks related to mHealth apps needed to be handled with regards to clinical evidence, claims on the purpose and functions of mHealth apps, and test and validation of the performance.

The European Commission appointed a working group to draft the mHealth Assessment Guidelines (the Guidelines). The group includes representatives of patients, health professionals and providers, payers, industry, academia and public authorities. The purpose of the Guidelines is to establish a framework of safety, quality, reliability and effectiveness criteria to improve the use, development, recommendation and evaluation of mHealth apps. The second draft of the Guidelines was open for input and comments during the course of 2016 and results will be published in due course.

The Guidelines do not cover mHealth apps that are classified as medical devices, as they are regulated in accordance with the Medical Devices Directive. This Directive will be replaced by the Medical Devices Regulation which comes into force on 25 May 2017 and shall apply 3 years after. The UK’s Medicines and Healthcare Products Regulatory Agency has published useful Guidance on the qualification and classification of medical device stand-alone software including apps which is to be used in the UK in addition to the European Commission’s Guidance MEDDEV 2.1/6.