Publication date: October 10, 2024
The Polish Ministry of Health will promote free applications that allow monitoring of the health of patients. Applications will be able to receive the title of “MZ Certified Application” (Software certified by the Ministry of Health) for a period of 24 months. According to the regulations for awarding applications the title of Ministry of Health Certified Application, the aim of the competition is not only to find applications that will provide information on health, but will also store data safely and their software will be a medical device.
A health application is an application that serves to monitor health. Some of these applications may be considered a medical device if they meet the requirements of REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2017/ 745 – of 5 April 2017.
The regulation does not strictly define whether an application can be a medical device, but the software contained in the application can be.
According to REGULATION (EU) 2017/745 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL – of 5 April 2017
Certification is intended to show that the app is safe and is a reliable tool that can be used by patients and medical personnel. For app developers, certification can be useful for promoting the app and its proven effectiveness. Currently, we can find two apps in the Health App Portfolio that have been certified in Poland. The first is an app created by doctors to check symptoms and their causes. The second app is designed for people struggling with allergies.
Certification, which is voluntary, is encouraged by the EU Member States. Certification may take place if, in addition to meeting the conditions resulting from the competition rules, compliance with Regulation ( EU ) 2016/679 of the European Parliament and of the Council of 27 April 2016 is met.
According to Art. 43:
4. Certification bodies referred to in paragraph 1 shall be responsible for making an appropriate assessment before issuing or withdrawing a certification, without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be granted for a maximum period of five years and may be renewed under the same conditions, provided that the certification body complies with the requirements set out in this Article.
5. The certification bodies referred to in paragraph 1 shall provide the competent supervisory authority with the reasons for granting or withdrawing the requested certification.
According to Regulation ( EU ) 2016/679 of the European Parliament and of the Council of 27 April 2016 the following conditions must be met:
The purpose of data processing must be strictly defined, data may not be processed for purposes other than those specified.
The application user must consent to the processing of personal data.
With regard to health applications, according to art. 9 point 1, it is prohibited to process genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning the health, sexuality or sexual orientation of that person. If the user has given consent to the processing of such data, the above provision does not apply and does not apply either if it is necessary for the purposes of preventive health or occupational medicine, for the assessment of the employee’s fitness for work, medical diagnosis, provision of health care or social security, treatment or management of health care or social security systems and services on the basis of Union law or the law of a Member State or in accordance with an agreement with a health care professional and subject to the conditions and safeguards referred to in par. 3;
Taking data protection into account already in the initial application design phase – Article 25.
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons resulting from processing, the controller shall, both at the time of determining the means for processing and the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, designed to implement data protection principles, such as data minimisation, in an effective manner and to incorporate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
2. The Controller shall implement appropriate technical and organizational measures to ensure that only the personal data that are necessary for achieving each specific purpose of processing are processed by default. This obligation relates to the amount of personal data collected, the scope of their processing, the period of their storage and their accessibility. In particular, these measures shall ensure that, by default, personal data are not made available without the intervention of a given person to an indefinite number of natural persons.
3. Compliance with the obligations referred to in paragraphs 1 and 2 of this Article may be demonstrated, inter alia, by introducing an approved certification mechanism as referred to in Article 42. The person whose personal data are being processed may request their immediate deletion if they are not used for the specified purposes or are unlawful.
Applications must not only meet the medical device requirement, but must also comply with the above regulation.
According to Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017, the application must be used for:
– diagnosis, prevention, monitoring, prediction, prognosis, treatment or mitigation of disease,
– diagnosing, monitoring, treating, alleviating or compensating for an injury or disability,
– for investigating, replacing or modifying an anatomical structure or a physiological or disease state or process,
– providing information through in vitro examination of samples taken from the human body, including those from organ, blood and tissue donors.
General purpose software, even if used in healthcare, or software for lifestyle and wellness applications is not a medical device.
– application for monitoring diseases, e.g. rheumatism, diabetes, chronic diseases;
– an application that is intended to support medical personnel;
– an application for quitting addiction;
– an application for monitoring fetal development;
– sleep monitoring app;
– an application that reminds about medications and searches for pharmacies where we can find a given medicine;
– menstrual cycle monitoring application;
– diet support application;
– an application facilitating contact with doctors;
– mental health support app.
Other regulations related to the legal protection of mobile applications:
Article 74 of the Act of 4 February 1994 on Copyright and Related Rights may also apply.
Art. 74. 1. Computer programs shall be protected as literary works, unless the provisions of this chapter provide otherwise.
2. The protection afforded to a computer program covers all forms of its expression. Ideas and principles that underlie any element of a computer program, including the basis of links, are not protected.
3. Property rights to a computer program created by an employee as a result of performing his/her duties under the employment relationship are vested in the employer, unless the contract provides otherwise.
– REGULATION (EU) 2017/745 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL – of 5 April 2017
– https://www.gov.pl/web/zdrowie/aplikacje-certyfikowane-mz-w-portfelu-aplikacji-zdrowotnych-paz
– Act of 4 February 1994 on copyright and related rights
– Regulation ( EU ) 2017/745 of the European Parliament and of the Council.