Digital Health Regulation: A Comparative Study of the EU and the USA

Updated - 21 Aug 2024 13 min read
xtatic logo green
Ivan Sinapov Technical Copywriter at XTATIC HEALTH
Digital Health Regulation: A Comparative Study of the EU and the USA

In the last decade, healthcare technology has advanced to a significant level. Many fields, such as cardiology, home care, dentistry, etc., have developed their treatment techniques and received new medical devices. 

However, the greatest development in the field was in digital health. Many companies started developing software as a medical product or started creating medical devices connected to the Internet, thus creating a digital medical device industry. All of this meant that large amounts of personal data began to be received and processed over the Internet. 

Naturally, this put data privacy and safety at the forefront of lawmakers’ attention. For this reason, virtually every state is developing its regulatory systems. Specifically, the USA and the EU have the greatest influence in the field with the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR), respectively.

These laws were not developed specifically for digital healthcare; however, both cover the field with their differences. For this reason, this article will begin by comparing the European and American legal frameworks for digital health.  Then, the article will discuss the respective agencies that enforce these regulatory standards – the European Medicines Agency (EMA) and the US Food and Drug Administration (FDA). Lastly, it will cover the regulation of medical devices used for digital health

The legal framework: GDPR vs. HIPAA

The legal framework: GDPR vs. HIPAA

Just as the name of the act suggests, the General Data Protection Regulation (GDPR) regulates any situation where a company or organization is processing the personally identifiable information (PII) of an individual. PII means anything that can help directly or indirectly identify a living person. Processing PII means collecting, organizing, structuring, using, storing, sharing, and erasing data. 

The data must be used for a legitimate purpose – for example, keeping information “just in case” is not considered a valid reason. Reasons for keeping the information could be the consent of the user, a contract, a legal obligation, etc., as described in Art. 6 GDPR. 

In either case, the individual should be aware of how his data is handled and have a say in how it is processed. Companies must ensure data safety, and they are responsible if they take information from a distributor that is not GDPR-compliant. 

The above-mentioned is valid for any PII, including digital health information. Because of these comprehensive obligations, the European legal framework can be classified as a rigorous regulation.

On the other hand, the USA’s alternative is a more specific regulation. Its respective legislation – the Health Insurance Portability and Accountability Act of 1996 (HIPAA), covers only data related to healthcare. 

In essence, it is a federal law that mandates the creation of standards for protecting the protected health information (PHI) of patients from being disclosed without their consent or knowledge. The law is similar to GDPR, and describing it will be easier with a comparison between the two acts. 

pattern

Learn how to navigate the differences between GDPR and HIPAA privacy laws.

Stay ahead of regulations and avoid penalties by using BGO Software’s software specialists to assist you in achieving HIPAA compliance effectively.

iso certifications logo hl7 logo hippa logo gmp logo fda logo gdpr logo

Types of data collected 

Under US law, PHI means only medical data – meaning the condition of the patient, chronic diseases, etc. are protected. In the EU, PII means any data, direct or indirect, that links to an individual –  name, address, telephone number, skin color, etc. However, indirect information can also include online history, preferences, health status, etc.

Consent

Consent GDPR

Under HIPAA, healthcare providers can disclose PHI without patient consent in some instances. A disclosure with another medical provider is permissible for treatment, payment purposes, and healthcare operations. “Treatment” means providing healthcare in general. 

“Payment” is related to billing patients for treatment, obtaining reimbursement, and handling insurance. “Healthcare operations” are any legal, administrative, or quality improvement actions that do not treat the patient itself.

However, under GDPR, such disclosure of information is restricted substantially. Only information related to direct patient care or “treatment”. Anything outside of that scope requires explicit consent. This will include communication and marketing activities between the care provider and data subject – the individual must expressly consent to communications through phone, e-mail, etc.

The right to be forgotten

A feature unique to European legislation is the increased control over personal information records. An individual may request that an organization wipe their personal data off their databases. This includes wiping such data from associates or affiliates. This means that an organization needs to be able to track where PII is stored and have access to the database.

HIPAA permits patients to view their own medical records and other health information. Furthermore, individuals may request corrections, but there is no mechanism for wiping data history.

Disclosure of data breaches

Disclosure of data breaches

When the PHI of a patient is breached, healthcare providers must notify the Department of Health and Human Services Office for Civil Rights (OCR). If more than 500 individuals are affected by such a breach, the data holder must notify the OCR and all affected individuals within 60 days. 

If a smaller number of people are affected, such reporting must be done by the last day of reporting each year – or they must report the incident by the 1st of March. Meaning that if an incident occurs on the 2nd of March and 600 people are affected, the organization must report it by the 2nd of May. 

If the same accident affected only 450 individuals, the data holder has a year to report the incident

Yet, when it comes to the EU, GDPR is drastically stricter, as Article 34 of the act sets only a 72-hour disclosure period.

Violations

HIPAA violations vary considerably, depending on each particular case and the severity of the violations. 

They are based on whether a healthcare provider could not have known that his actions would result in a violation or whether he was negligent. In the first case, the fines range from 100 to 50,000 dollars. In the second, they range from $10,000 to $50,000, with possible criminal charges and jail time. 

Lastly, the penalty can be up to $1,5 million a year for violating an identical provision.

The most notable case is that of Anthem,Inc., – a $115 Million class-action lawsuit for failing to implement security protocols for protecting their electronic protected health information (ePHI). Hackers launched a cyberattack, resulting in 79 million people being affected.

GDPR violations are dealt with in a simpler way. Organizations that violate the law face sanctions up to 4% of their income in the last 12 months or 20 million euros, depending on which is higher. 

A notable example of such a breach is in France, where DEDALUS BIOLOGIE, which distributes software for laboratories, was responsible for a leak of the PII of 500 000 individuals, resulting in a 1.5 Million euro fine.

To issue such fines, each state needs competent authorities that monitor compliance with HIPAA and GDPR. For this reason, the FDA and EMA both monitor the healthcare field, from the pharmaceutical industry’s technology and drugs affecting human health to diagnostic and interventional radiology and medical devices worldwide.

HIPAA vs GDPR

 

Regulatory standards: The role of EMA and FDA in digital health

Regulatory standards: The role of EMA and FDA in digital health

Beginning with an explanation of the organizations. The European Medicines Agency (EMA) and the US Food and Drug Administration (FDA) both operate under very similar regulatory frameworks and share fewer differences than HIPAA and GDPR. 

They are the competent authorities responsible for testing the safety and efficiency of a medical device, protecting and advocating for public health, and giving people health and regulatory information. There are only three main differences between the two agencies:

Structure

The FDA operates and oversees the USA exclusively. Due to this, it is centralized and oversees the drug approval process with its own staff.

The EMA, on the other hand, overviews the same process in many European countries. Due to this, centralization has not yet occurred, which leads to some complications. 

The assessment of new drugs and devices is done independently by each country, and the agency brings resources from more than 40 national competent authorities and more than 4500 experts. After the assessment, the EMA sends an opinion to the European Commission, which is either approved or denied.

pattern 2

Tackle the EU and US digital health regulations with ease.

Navigate complexities of finding a custom solution for HIPAA compliance by consulting BGO Software’s specialists who can guide your through the data protection requirements.

Phases of approval

In both agencies, there are three stages – preclinical testing, clinical trials, and a final approval procedure. In the USA, an application is filed with the FDA for drugs that appear safe in the preclinical phase. 

In the EU, an application is filed for receiving a marketing authorization license, which is valid in every EU state plus Iceland, Lichtenstein, and Norway. Most but not all products in the EU must follow the centralized authorization procedure, but some products may still be authorized through national decentralized procedures

Differences in testing

The testing process itself is quite similar for the two agencies, with only a slight twist. The FDA investigates new drugs when compared to placebos, while the EU compares the new drugs with old medications. However, this is not always the case, as the EMA does also incorporate placebo and active treatment as controls when possible.

Yet the trend is toward standardization of the approval mechanisms. Specifically, the FDA and the EMA already have the same application form for rare diseases. This common framework allows companies to apply in both jurisdictions at the same time.

That being said, while the data protection aspect of digital health regulation is relatively similar, there are substantial differences on the hardware front.

Medical device regulations in the EU and USA

Medical device regulations in the EU and USA

When speaking about digital health, medical devices are usually not the first thing a person thinks about. However, many medical devices are connected to the Internet. 

For example, the Internet of Things (IoT) is a line of devices – sensors, software, and other technologies—created for the purpose of creating and exchanging data with other devices over the Internet. 

In this sense, remote heart monitoring devices could be used to track patients from their homes and submit the data gathered to healthcare professionals through the Internet. In that sense, the regulation of medical devices has just as much importance for digital healthcare

Regulation in the European Union

Particularly in Europe, lawmakers have recognized several emerging challenges – the aging population, rising expectations of patients, and the migration of patients and health professionals. 

To that end, the focus has been on branches like E-health, M-health, and genomics – all in an attempt to switch their approach from treating underlying conditions to the prevention of illnesses in the first place.

The EU defines medical devices as products or equipment intended for a medical purpose and regulates them under the New Approach (NA) directives. Under the directive, products placed on the EU market and benefiting from the free movement rules are covered by the legislative harmonization standards. 

These standards are technical specifications that ensure the safety of the product. The key part is that these standards are not mandatory, and the manufacturer can apply other national standards. However, approved devices under the harmonized standards of the NA receive a presumption of conformity with the required standards in every EU country.

The assessment of the product itself is based on the risk levels and the intended use of the device. 

There are four distinct categories in the EU:

  • Class I – low risk – for example, enema kits and elastic bandages
  • Class IIa – medium risk – catheters, blood transfusion tubes, and hearing aids
  • Class IIb – medium/high risk – ventilators, surgical lasers, and infusion pumps
  • Class III – high risk – pacemakers and heart valves

These strict regulations are created to ensure that the medical device can accomplish its intended use without compromising the condition or safety of the user. Any risk that is found is weighed against the possible benefit to the patient, ensuring the product is likely to produce more good than harm.

Regulation in the United States of America

The USA market is characterized by the development of the mobile and health IT sectors. Lawmakers are undergoing an effort to coordinate their approach towards the new wireless medical devices, mobile apps, and other digital healthcare devices. 

The enforcement process is significantly more centralized, with the FDA, the Federal Communications Commission (FCC), and the Office of the National Coordinator for Health Information Technology (ONC) executing the main regulatory actions. 

The FCC mainly handles international communication by telephone, radio, television, internet, etc. It also oversees the authorization of equipment using radio frequencies. Lastly, it examines equipment emitting radio frequency energy that could cause interference with other systems. 

The FDA, on the other hand, oversees equipment intended for the treatment, prevention, or diagnosis of diseases. 

One example of such authorization is Mobile MIM, a program capable of “allowing doctors to view and assess medical images that have been approved by the FDA”. 

Another example is Mobisante, an app that is a “mobile ultrasound imaging system that will cost between $7,000 and $8,000 in full” and displays the ultrasound on a smartphone. 

The two agencies are coordinating their efforts and have even signed a memorandum to share information on device marketing authorizations and consult each other on the development of standards for mobile devices and digital health IT.

Lastly, the ONC is charged with the development and implementation of interoperable information technology. Some of its obligations might be to ensure rigorous regulation of certification programs for health IT or to develop standards for the certification of said programs.

In the US, medical devices are defined as “instruments or apparatus (including components) intended for use when diagnosing, treating or preventing diseases or medical conditions, or intended to affect the body through non-chemical means Some accessories used for marketing purposes or general use and not strictly for healthcare do not fall under the control of the above-mentioned organizations. 

However, as in the EU, the intended use of the device is taken into account to determine if it is a medical device. 

And similarly to Europe, the devices are classified based on their risk factors and efficiency:

  • Class I – low-risk devices
  • Class II -moderate-risk devices
  • Class III -high-risk devices

Manufacturers are generally expected to classify their own devices before commercializing them. However, most of them are still subject to “general controls”, such as device listing and good manufacturing practice requirements and reporting.

Medical device regulations in the EU and USA

Conclusion for intercontinental businesses

The current regulatory frameworks in Europe and the United States are quite similar when it comes to the protection of personal data in healthcare. While the GDPR and HIPAA were not created specifically for healthcare, they are both perfectly applicable in the field. 

When it comes to comparing the two laws, European law is more decentralized due to the nature of the European Union. Despite this, GDPR is quite stricter than HIPAA in many aspects, such as their policy around sharing information without the consent of the individual, the right to be forgotten, or the fines issued for violations of the act. 

Yet, the updated regulatory changes from recent years show a trend toward creating equal standards in both laws.

This similarity is not present in their enforcement agencies – the EMA and FDA, however, both still use similar techniques for assessing digital software and medical devices. In fact, both American and European agencies have similar standards for assessing the risk related to each medical product.

For a business, this means that software or a medical device authorized in Europe has a great chance of being ready to begin the approval process in the USA, as the EU standards tend to be stricter. On the flip side, a product may be sent to the European market with relatively few changes. 

Of course, there are always exceptions, and when dealing with regulations, even small mistakes can lead to fines. However, working with an IT company focused on medical software could be the key to an easy transition. 

Working with such companies means that they will catch small mistakes that are easy to overlook, and instead of paying for experience with fines, a company can pay a smaller fee to a third party to ensure compliance.

 

pattern 3

Whether you’re a startup, a Fortune 100 company or a government organisation, our team can deliver a solution that works for you.

BGO Software

xtatic logo green

Ivan Sinapov

Ivan is a Technical Copywriter with extensive experience in the field of medical technology and software development. He specializes in translating complex technical concepts into clear and engaging content tailored for both industry professionals and broader audiences.

What’s your goal today?

wyg icon 01

Hire us to develop your
product or solution

Since 2008, BGO Software has been providing dedicated IT teams to Fortune
100 Pharmaceutical Corporations, Government and Healthcare Organisations, and educational institutions.

If you’re looking to flexibly increase capacity without hiring, check out:

On-Demand IT Talent Product Development as a Service
wyg icon 02

Get ahead of the curve
with tech leadership

We help startups, scale-ups & SMEs create cutting-edge healthcare products and solutions by providing them with the technical consultancy and support they need to break through.

If you’re looking to scope and validate your Health solution, check out:

Project CTO as a Service
wyg icon 03

See our Case Studies

Wonder what it takes to solve some of the toughest problems in Health (and how to come up with high-standard, innovative solutions)?

Have a look at our latest work in digital health:

Browse our case studies
wyg icon 04

Contact Us

We help healthcare companies worldwide get the value, speed, and scalability they need-without compromising on quality. You’ll be amazed of how within-reach top service finally is.

Have a project in mind?

Contact us
chat user icon

Hello!

Did you know that BGO Software is one of the only companies strictly specialising in digital health IT talent and tech leadership?

Our team has over 15 years of experience helping health startups, Fortune 100 enterprises, and governments deliver leading healthcare tech solutions.

If you want to explore your options, would you like to book a free consultation call today?

Yes

It’s a free, no-obligation, fact-finding opportunity. You’ll have a friendly chat with our team, ask any questions, and see how we could help in detail.