Digital health apps and telemedicine in the Netherlands

The relevant legislation is the “Wet op de medische hulpmiddelen (“Wmh”)”, or in English, the Medical Device Act and the “Besluit medische hulpmiddelen”; the Medical Device Decree (as of May 2021, the Medical Device Regulation (EU) 2017/745 will apply). 

According to the Wmh, the definition of a medical device is any instrument, software, or other item whether used alone or in combination, including the software necessary for its proper application intended by the manufacturer to be used for human beings for the purpose of: 

• Diagnosis, prevention, monitoring treatment or alleviation of disease; 
• Diagnosis, monitoring, treatment, alleviation of or compensation for any injury or handicap;
• Investigation, replacement or modification of the anatomy or of a physiological process; and
• Control of conception,

and which does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its function by such means. 

If the software within digital health apps are used for the purpose of any of the above purposes, then the software itself is considered a medical device.

1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?

Dutch law does not distinguish a medical device from any other product with regard to liability, so if the software is considered a medical device, liability can attach as it would with any other product. The applicable rules can be found in book 6 of the Dutch Civil Code; specifically, the chapters on contractual liability (6:74 and further), non-contractual liability (6:162 and further) and product liability (6:185 and further). 

1.2 If your response to Q1.1 is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?

No specific exclusions or exemptions are made by Dutch law with regard to liability of software (as a medical device). Parties can contractually agree on specific clauses to limit or extend liability. 

Yes, other legal regimes that need to be taken into consideration are the rules on data privacy: General Data Protection Regulation (EU) 2016/679 and relevant guidelines, e.g., the NEN 7510 on information security in healthcare, NEN 7512 on data exchange in healthcare and the NEN 7513 concerning the logging of actions on electronic patient records. 

Also relevant are the aspects of patient rights in case the medical device is used to perform a medical treatment agreement: article 7:446 Dutch Civil Code and further, and the Processing personal data in healthcare Act, or in Dutch “Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg.” 

3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.

The patient is the “protected” party in national legislation, the patient rights he or she derives from Dutch law(s) “follow” the patient across the border. Therefore, it does not matter if the resident uses it within or outside their jurisdiction. This could differ with respect to (the processing of) the data privacy-rights if the resident goes outside the borders of the European Union. 

3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.

Data privacy-rules are intended to protect the personal data and privacy of an individual, the end user, so it is very important in B2C-scenarios. Nonetheless, businesses have to comply with data protection regulation in B2B-scenarios.

The same goes for patient rights – the regulations are in place in order the regulate the rights and obligations in case of a medical treatment agreement with a patient. 

No, the general (data privacy) rules apply. 

The basic principle in Dutch law is that the physician is liable for the device he or she use if the device turns out to be unfit to perform the task. This rule is codified in article 6:77 Dutch Civil Code. The article also nuances the rule by adding that liability for auxiliary equipment is not attributed to the debtor (physician) if this would be unreasonable in view of the content and necessary implication of the juridical act from which the obligation arises, the generally accepted principles (common opinion), and other circumstances of the situation. 

The liability is transferred to the producer of the software if the damage is caused by a defect (safety defect) in the product. A product is defective when it does not provide the safety which a person is entitled to expect, taking all circumstances into account, especially the presentation of the product, the use that could reasonably be expected to be made of the product, and the time when the product was put into circulation on the market. The producer’s liability is limited to damage caused by death or personal injuries and damage caused by the defective product to another asset of a type which is ordinarily intended for private use or consumption (with a threshold of €500). Product liability is included in article 6:185-193 Dutch Civil Code. 

Medical Device Act

The Minister is authorized to impose an administrative fine up to €900.000 for an act that is contrary to a number of provisions of the Medical Device Act. The violation of a number of specific provisions can even constitute an economic offense, punishable with one year in custody or a fine. Lastly, it is forbidden to recommend an object as a medical device, while you know or should reasonably suspect that the advertised suitability is lacking. This could be punished with imprisonment of up to two years or a fine. The Health and Youth Care Inspectorate (Inspectie Gezondheidszorg en Jeugd (“IGJ”)) is the authority that acts on behalf of the Minister.

General Data Protection Regulation

The Dutch Data Protection Authority (“DPA”) supervises processing of personal data in order to ensure compliance with laws that regulate the use of personal data. According to the Dutch Implementation Act of the GDPR, the Dutch DPA is authorized in the event of a violation of the Regulation to impose an administrative fine of up to €20,000,000 (or up to €10,000,000, depending on the breach) or, for a business entity, up to 4% (or up to 2%, depending on the breach) of the total worldwide annual turnover in the previous financial year if this amount is higher.

In case of an infringement of the rights regulated by this regulation, the person who has suffered material or non-material damage shall have the right to receive compensation. Any controller involved in processing of the personal data shall be liable for the damage. 

Rights and obligations medical treatment agreement

The IGJ, part of the Ministry of Health Welfare and Sport, has the role to supervise healthcare in the Netherlands and the market for medicines and medical devices. The IGJ ensures that actors on these markets comply with the relevant legal and regulatory standards. The IGJ has a number of instruments to enforce the regulation, such as an instruction, administrative fine, administrative coercion, injunction, order to immediately abstain from professional activities, to put under supervision or file a disciplinary complaint. More specific for medical devices (using software) the IGJ could also order to withdraw the product from the market.

Due to the recent pandemic, all e-health applications got a kick start. The Ministry of Health, Welfare and Sport wants to stimulate the use of e-health and is making €77 million available for remote support and care via digital applications, intended for care for frail elderly living at home and people with a chronic illness or disability. This new subsidy scheme (as of Q3 2020) is specifically aimed at healthcare providers of community nursing, general practitioners, mental healthcare and providers of support under the Social Support Act (Wet maatschappelijke ondersteuning) who want to invest in order to structurally start using digital care remotely. 

In the Netherlands, a few category of medical professionals like doctors, dentists and midwives, are able to register in the Dutch individual healthcare professions-register (“BIG-register”), which is a registration that is only open to certain categories of healthcare professionals if they have completed the right education. The BIG register provides clarity about the healthcare professional's qualification and entitlement to practise. With a BIG registration, the healthcare professional may use the legally protected title belonging to the profession. Furthermore, a BIG registration allows to perform certain restricted actions (voorbehouden handelingen), such as operating, injecting, sedating, prescribing medicine or other acts which present unacceptable risks to the health of the patient if carried out by untrained persons. 

The basic principle under the Individual Healthcare Professions Act (Wet op de Beroepen in de Individuele Gezondheidszorg or Wet BIG) is that everyone is allowed to act in the field of individual healthcare, with the exception of the performance of “reserved acts.” Only BIG-registered professionals are allowed to perform these.

The regulator authority that supervises the BIG-registrations and compliance of the BIG-registered professionals with the Individual Healthcare Professions Act is the IGJ. 

Medical treatment agreement (Wet geneeskundigen behandelingsovereenkomst), Individual Healthcare Professions Act (Wet BIG), Medicines Act (Geneesmiddelenwet), Healthcare Quality, Complaints and Disputes Act (Wet kwaliteit, klachten en geschillen zorg), relevant guidelines on telemedicine and with respect to the processing of personal data, the General Data Protection Regulation. 

10.1 What are the requirements?

The competence of a healthcare provider will be assessed against the criteria of a “good caregiver”. This means that in providing the medical services, the healthcare provider must observe the standards of a prudent caregiver and, in doing so, has to act in conformity with the responsibilities laid upon him/her by the professional standard for healthcare providers. The professional standard is set by industry protocols and self-regulation and should comply with the latest developments in the medical field. The use of telemedicine will constitute a medical treatment agreement. A patient can only enter into a medical treatment agreement for himself/herself as of the age of sixteen. An important limitation for teleconsultation in the Netherlands is that Dutch legislation prohibits a medical doctor to prescribe medicinal products to a patient whom he or she has never physically met. 

10.2 Were there any new (time-limited) regulation regarding the Sars-CoV-2 pandemic?

No, there are no new or temporary regulations introduced in the Netherlands due to the Covid-pandemic. 

The standards of care do not specifically change in the context of using telemedicine, but some aspects may need more attention. For example, a physician needs to assess whether telemedicine is the right medium to use, whether he or she is comfortable to do the assessment remotely and whether or not the situation requires that the physician see the patient in person.

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

A physician must provide good care and has a professional responsibility to assess if telemedicine is the correct or a suitable tool to use in the specific situation. In the Netherlands, there are no legal requirements for physicians to give any disclaimers, but the physician does have a general information-obligation. He has to inform the patient on the limitations of the telemedicine services and has to refer the patient to a real life consultation when telemedicine is not the appropriate medium to provide good care. 

11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

No, the use of telemedicine does not increase the risk of liability by any specific way. The liability-risks are the same as in traditional doctor-patient treatment relations. The healthcare provider has the responsibility to remotely practice medicine in a way that ensures quality and safety of care. 

The Royal Dutch Medical Association (Koninklijke Nederlandse Maatschappij tot bevordering der Geneeskunst/KNMP) has published a leading guideline on remotely practising medicine. Based on this guideline, providing patient oriented advice via telemedicine is only permitted if the following cumulative conditions are met by the physician: 

• The physician has informed the patient in a sufficient way about the videoconference intervention;
• The physician has received relevant and reliable medical data from the patient;
• The applicable professional standard is taken into account;
• The identity of the patient had been sufficiently established and the physician must identify him-/herself to the patient;
• The physician clearly indicates that the online advice is based on the data presented by the patient and the available medical file;
• If the healthcare professional is not the patient's regular physician, he or she informs the patient's own physician (e.g., general practitioner) about the medical advice given to the patient.    

Complying with these standards lowers the risks of liability for the physician. 

Yes, there are restrictions on prescribing medicine through telemedicine. Article 67 of the Dutch Medicines Act (Geneesmiddelenwet) prohibits a medical doctor to prescribe medicinal products to a patient whom he or she has never physically met. Assuming that the physician contacted using the teleconsultation service has never physically met any of the patients that will use the application, prescribing medication via this teleconsultation service will not be an option in the Netherlands. 

Yes, if a telemedicine service is used in the performance of or as a substitute to a “normal” reimbursable act, the telemedicine service would be reimbursed under the same conditions. Telemedicine can be an alternative for a “regular” or physical service. For example, a consultation with a doctor will be reimbursed both in person and via telemedicine.

13.1 If so, are there any special provisions about the reimbursement/coverage of costs regarding the use of mobile apps that can combine digital health and telemedicine? 

No, there are no special provisions on the reimbursement of the costs regarding the use of digital health or telemedicine. In general, if the telemedicine performs an activity that would be eligible for compensation according to the “normal” rules, it will be reimbursed without any special requirements. However, healthcare insurers can impose additional requirements for reimbursement.

13.2 And further, if yes, who is covering the costs for apps that are mostly used by healthcare professionals and by patients?

If the activity the app is used for will be reimbursed by the healthcare insurer because the activity is covered by the national basic health insurance (“basisverzekering”), the cost of the app will be covered by the national healthcare system. The app will have to be funded from the amount you receive as reimbursement for the specific activity from the healthcare insurer, as the app is part of the fulfilment of the activity and not an independent ground for compensation. 

The General Data Protection Regulation applies as well as the Processing personal data in healthcare Act, or in Dutch “Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg.” The Processing personal data in healthcare Act includes safeguards for clients/patients in electronic data exchange. 

We refer to the answer to Question 7. 

In general, the recent pandemic has accelerated the introduction of eHealth, which had led to a substantial increase of the use of telemedicine.