Person with a broken leg and a broken arm, money flying around him, symbolizing product liability with medical devices

Product Liability and Medical Software: Fortunately You Can Insure Yourself

2019/01/09 - Medical Software - Cord Schloetelburg and Boris Handorn

Medical care has become digital. We now routinely use smartphone apps, image analysis software or data-based patient models. These are just a few examples. The decisive component here is software. But what does it mean for risk assessment when a computer program becomes a medical device? And what is the consequence in terms of product liability? Manufacturers of medical devices or software have to answer this question carefully. Medical software must meet considerably stricter legal requirements than software without a medical scope. The approval or certification of medical software costs a lot of time and money. What is even more important, however, is risk compensation in view of product liability. Since manufacturers of medical software are exposed to considerable risks here, corresponding measures such as concluding product liability insurance are mandatory.

Regulation of Medical Software

The legal basis for medical devices and thus also for medical software in Europe is the EU medical device regulation 2017/745 (EU MDR), which came into force on 25 May 2017. Even though the “old” directives on medical devices and active implants will continue to apply in a transitional period until 26 May 2021, you should always deal intensively with the new regulation. First of all, there is the question whether your software is a medical device at all. A bold look at the definition of medical devices will help here. The EU MDR defines medical devices primarily on the basis of their areas of application. These are:
  • diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease,
  • diagnosis, monitoring, treatment, alleviation of, or compensation for, an injury or disability,
  • investigation, replacement or modification of the anatomy or of a physiological or pathological process or state and
  • providing information by means of in vitro examination of specimens derived from the human body, including organ, blood and tissue donations.
In addition, devices for the control or support of conception and products for cleaning, disinfection or sterilization are medical devices according to the EU MDR. But it wasn’t that yet. Medical devices and thus medical software must also be intended for humans. Moreover, the principle of action is important. Medical devices work in or on the human body, but not pharmacologically, metabolically or immunologically.

Stand-Alone or Integrated Software

In addition to devices, instruments, apparatus etc., the EU MDR explicitly mentions software. Thus software can be a medical device in principle if it has a medical purpose. However, to make things more demanding, the law distinguishes between independent medical software and device-related medical software. Independent medical software, so-called “stand-alone software”, performs its functions independently and does not require an associated medical device. Device-related medical software, on the other hand, is required for the operation of a medical product and must be regarded as a component thereof. Such software is an integral part of an apparatus, device, instrument or system. Read our article about “Stand-alone Software as Medical Device” for a deeper insight into this subtopic. All in all, the legal wording makes clear that medical software obviously has to be able to do more than just search for, store, archive or transmit data. In particular, medical software interprets data. It directly helps to make diagnoses and initiate therapies. This also means that patient data management systems, hospital information systems or medical learning and teaching programs are not medical software.

Purpose of Use

But who ultimately determines whether software is a medical device or not? The answer: It is the manufacturer of the software. Software becomes a medical device if the manufacturer itself assigns it a medical purpose. For this, the manufacturer determines who may use the software for what purpose. These specifications appear in the labelling, the instructions for use or in the advertising material. It is therefore a “subjective” purpose. But what happens if users use software medically that the manufacturer has not designated as such? This would at least have no significance for the question of whether it is a medical device or not. The decisive factor is the manufacturer’s assessment. The purpose of the software, which the manufacturer has determined, is of decisive importance for the later risk consideration. And this, of course, also applies to the question to what extent product liability comes into effect. However, manufacturers cannot resolve product liability issues solely by considering the medical device regulation. There are other areas of law that are also important. They also require analysis if you want to assess the risk of product liability for your medical software.

Copyright

For example, think of the copyright. It protects the intellectual property and serves to secure and exploit the author’s rights. Software is subject to copyright. For cost and time reasons, software developers usually fall back on already existing third-party components. They often use open source components, which is particularly tempting because they are freely available. But be careful at this point. Open source software or freeware does not necessarily mean that you can integrate these components into your commercial software without further ado. The same applies to third-party services or content of any kind like text parts or images. Therefore, check and document each external component and content carefully to see whether, to what extent, or under what conditions the authors allow you to use it.

Data Protection

Data protection also plays an important role. A person has the right to decide which of the personal data he wants to make available to a responsible body. The person also decides for what purpose a responsible body may process his or her data. If, for example, a software manufacturer brings the user data into a cloud, he can become a responsible body in this way. The consequence of this is that he must comply with all legal requirements for such a responsible body. He must also examine in detail which data protection rules are relevant in the individual case. Therefore, it is important for software manufacturers to understand that data protection follows certain principles:
  • There must be a clear and legitimate purpose to the data processing.
  • The level of data processing must be reasonable and proportionate to the purpose of the processing.
  • Data processing must be transparent so that users can keep themselves informed at all times.
  • Measures related to data protection law must always be proportionate.
The EU General Data Protection Regulation gives these aspects additional significance. It entered into force on 25 May 2018. Consequently, supervisory authorities can now impose high fines if data protection is not sufficient. We have written an article that discusses in detail the role of GDPR and the need for privacy by design.

Advertising

Medical devices and therefore also medical software are not “normal” products. Since they can cause considerable damage, Advertising board showing medical app and medical software. Advertising is closely connected to product liability.especially in the case of improper use, their marketing is strictly regulated. Manufacturers may therefore only advertise medical devices in certain ways. The legislator wants to ensure that possibly unsuitable advertising does not lead to misuse of medical products or to false promises of benefits. Advertising for medical devices must therefore not be misleading or promise therapeutic efficacy that is not achieved. Note that software itself can also be advertising, for example, when an app provides access to information about therapeutic products. As a rule, only certain professionals may gain access to this information. Besides, it is not legal to offer the software as a gift if it is directly related to the medical device.

Product Liability

The manufacturer of medical software is liable for damages caused by faulty software. Not only programming errors, but also insufficient instructions for use, missing warnings, excessive marketing statements about the performance of software or inadequate data protection can be relevant for product liability. Hence, the manufacturer of medical software is liable if he does not fulfil his contract with a customer. In practice, the issue here is whether the software has a defect and thus does not reach the contractually agreed condition. The defect does not necessarily have to cause a safety risk. Often, tedious and expensive disputes arise in the event of damage, because the customer and the manufacturer have not made precise agreements about important performance features of the software. Then, it is unclear in whose area of responsibility the defect falls. Moreover, the manufacturer of medical software can be liable for defects caused by faulty software to everyone because life, health and property of others are legal assets which are protected by law. This means that there is no need for a contract with an affected person. So if you bring medical software onto the market, you are responsible for ensuring that it is free of errors and does not injure patients, users or third parties. And: the manufacturer can be liable for damages due to a defect of medical software, regardless of whether it is his fault or not.

Software as a Product

Interestingly, legal scholars argue about whether software is a product at all. The law defines a product as a movable thing. But is software a movable thing? The answer is “sometimes”. Some consider software delivered on a data carrier, such as a CD or chip, to be portable and therefore a product. Others, on the other hand, focus on the service provided by the software and argue against software as a product. In many cases, however, software is located on a server and is downloadable. In this case, software is probably not to be regarded as a movable thing. Obviously, the legal wording lags behind the technical developments. Uncertainty remains for the manufacturer and thus a risk for him to be managed. Irrespective of whether software is a product and therefore product liability applies or not, the manufacturer is still liable within the scope of producer liability.

Producer Liability

The manufacturer of medical software is in any case subject to the principles of producer liability. The manufacturer has various obligations to prevent his medical devices from infringing the rights of others. The reversal of the burden of proof is characteristic. If a person concerned has proven a breach of duty by the manufacturer, the manufacturer must prove that he is not to blame. This would be the case, for example, if the defect of the medical device is an “outlier” which can also occur in the case of perfect organization of the production facility. A further example is a development risk that could not be avoided according to the state of the art in science and technology.

Product Liability Insurance

Manufacturers of medical devices are obliged to provide sufficient financial cover. Product liability insurance is the instrument of choice here. The amount of financial cover depends individually on the type and risk class of the medical devices concerned and the size of the company. It is part of the regulatory obligations of medical device manufacturers to define and hedge their product liability risks in the event of damage. This must be done before marketing and on an individual basis. The levels of protection vary from one European country to another. In contrast, there is a widespread misconception in particular among small and medium-sized enterprises that product liability insurance is not necessary or it is too expensive. In summary, manufacturers are well advised to deal intensively with the complex regulatory and legal situation of medical software. A detailed risk analysis is well invested money. The medical software thus becomes a success for the patients and for the company.