Telehealth Regulation

How is telehealth regulated?

Telehealth is not regulated specifically in Ireland, and there is a lack of legislation and regulatory schemes specific to digital health IT and eHealthcare.

However, there are several legislative and regulatory schemes which apply to the practice of virtual medicine, such as consumer and data protection by way of general application, and tailored legislation for medical professionals.

In respect of the provision of health services, the Health Act 2004 and the Health Act 2007 apply to medical services. Healthcare practitioners involved in telehealth will be subject to the applicable regulations and codes of practice for their profession, for example, doctors providing medical services via telehealth are required to be registered with the Medical Council, as is required when providing services via traditional means. Doctors providing telemedical services must also comply with the standards of good practice, and the ethical guide deals specifically with telemedicine and reiterates that doctors must be satisfied that the telehealth services being provided are safe and suitable. It is important that all healthcare providers comply with the relevant codes of conduct, regardless of the means by which the services are provided, and these guides may also specifically address the provision of telehealth.

On 3 April 2020, the following regulations came into force (S.I. No. 98/2020 - Medicinal Products (Prescription and Control of Supply) (Amendment) Regulations 2020 and S.I. No. 99/2020 - Misuse of Drugs (Amendment) Regulations 2020) to facilitate the electronic transfer of prescriptions from a prescriber to a pharmacy and to allow further supplies of existing prescriptions by pharmacists to patients during the COVID-19 pandemic. Although intended to be temporary to deal with the Covid 19 emergency, these Regulations are still in force to ensure continued care and treatment for patients (see here for the guidance for prescribers and pharmacists on the legislation changes).

In addition, the National COVID-19 Telehealth Steering Committee has mandated a Remote Patient Monitoring Working Group to examine international evidence for use of remote patient monitoring solutions and to develop guiding principles for their implementation. As a result, operational guidance for telehealth implementation has been developed (see here for the guidance for acute hospitals; and here for guidance for community services).

In respect of the information processed in order to provide telehealth, there is a robust legislative framework in Ireland in respect of data protection. The General Data Protection Regulation is implemented in Ireland by the Data Protection Act 2018, and supplemented by the Data Protection Act 2018 (Health Research) Regulations 2018. In terms of cybersecurity, at an EU level, the Network and Information Systems Directive 2016/1148 governs regulation round cybersecurity and the protection of information.

eHealth Ireland is an independent body, set up by the Health Services Executive, which leads strategy and guides the implementation of telehealth. eHealth Ireland liaises with key stakeholders in this area and has developed several strategic programmes leading eHealth developments in Ireland. Guidance produced by eHealth Ireland recommends that all eHealth systems should be patient-centric, and there should be an emphasis on efficiency, transparency, and ease of access.

Any contractual engagement entered into in relation to the provision of telehealth services may be governed by Irish law, and a patient may have rights under Irish law to bring a case for any tort, negligence or breach of contract.

The Health Service Executive (HSE) has operational responsibility for the public provision of healthcare, including telehealth. The Data Protection Commission (DPC) is the national authority in Ireland with oversight over the management and processing of data. The Health Products Regulatory Authority (HPRA) has a regulatory role to monitor the safety of medical devices in Ireland after they are placed on the market, including mobile applications for diagnosing a disease or medical condition. The Global Observatory for eHealth of the World Health Organization defines Mobile Health (mHealth) as “medical and public health practice supported by mobile devices, such as mobile phones, patient monitoring devices, personal digital assistants, and other wireless devices.” This includes mobile devices including smartphones and tablets, as well as devices that provide real-time patient monitoring like FitBits and other wearables.

From an intellectual property perspective, there are laws regarding copyright and database rights, and the processing of sensitive data is a highly regulated area.

Last modified 8 May 2023

Ireland

Ireland

Is the use of telehealth permitted?

Yes, telehealth is permitted in Ireland.

Last modified 8 May 2023

Ireland

Ireland

How is telehealth regulated?

Telehealth is not regulated specifically in Ireland, and there is a lack of legislation and regulatory schemes specific to digital health IT and eHealthcare.

However, there are several legislative and regulatory schemes which apply to the practice of virtual medicine, such as consumer and data protection by way of general application, and tailored legislation for medical professionals.

In respect of the provision of health services, the Health Act 2004 and the Health Act 2007 apply to medical services. Healthcare practitioners involved in telehealth will be subject to the applicable regulations and codes of practice for their profession, for example, doctors providing medical services via telehealth are required to be registered with the Medical Council, as is required when providing services via traditional means. Doctors providing telemedical services must also comply with the standards of good practice, and the ethical guide deals specifically with telemedicine and reiterates that doctors must be satisfied that the telehealth services being provided are safe and suitable. It is important that all healthcare providers comply with the relevant codes of conduct, regardless of the means by which the services are provided, and these guides may also specifically address the provision of telehealth.

On 3 April 2020, the following regulations came into force (S.I. No. 98/2020 - Medicinal Products (Prescription and Control of Supply) (Amendment) Regulations 2020 and S.I. No. 99/2020 - Misuse of Drugs (Amendment) Regulations 2020) to facilitate the electronic transfer of prescriptions from a prescriber to a pharmacy and to allow further supplies of existing prescriptions by pharmacists to patients during the COVID-19 pandemic. Although intended to be temporary to deal with the Covid 19 emergency, these Regulations are still in force to ensure continued care and treatment for patients (see here for the guidance for prescribers and pharmacists on the legislation changes).

In addition, the National COVID-19 Telehealth Steering Committee has mandated a Remote Patient Monitoring Working Group to examine international evidence for use of remote patient monitoring solutions and to develop guiding principles for their implementation. As a result, operational guidance for telehealth implementation has been developed (see here for the guidance for acute hospitals; and here for guidance for community services).

In respect of the information processed in order to provide telehealth, there is a robust legislative framework in Ireland in respect of data protection. The General Data Protection Regulation is implemented in Ireland by the Data Protection Act 2018, and supplemented by the Data Protection Act 2018 (Health Research) Regulations 2018. In terms of cybersecurity, at an EU level, the Network and Information Systems Directive 2016/1148 governs regulation round cybersecurity and the protection of information.

eHealth Ireland is an independent body, set up by the Health Services Executive, which leads strategy and guides the implementation of telehealth. eHealth Ireland liaises with key stakeholders in this area and has developed several strategic programmes leading eHealth developments in Ireland. Guidance produced by eHealth Ireland recommends that all eHealth systems should be patient-centric, and there should be an emphasis on efficiency, transparency, and ease of access.

Any contractual engagement entered into in relation to the provision of telehealth services may be governed by Irish law, and a patient may have rights under Irish law to bring a case for any tort, negligence or breach of contract.

The Health Service Executive (HSE) has operational responsibility for the public provision of healthcare, including telehealth. The Data Protection Commission (DPC) is the national authority in Ireland with oversight over the management and processing of data. The Health Products Regulatory Authority (HPRA) has a regulatory role to monitor the safety of medical devices in Ireland after they are placed on the market, including mobile applications for diagnosing a disease or medical condition. The Global Observatory for eHealth of the World Health Organization defines Mobile Health (mHealth) as “medical and public health practice supported by mobile devices, such as mobile phones, patient monitoring devices, personal digital assistants, and other wireless devices.” This includes mobile devices including smartphones and tablets, as well as devices that provide real-time patient monitoring like FitBits and other wearables.

From an intellectual property perspective, there are laws regarding copyright and database rights, and the processing of sensitive data is a highly regulated area.

Last modified 8 May 2023

Ireland

Ireland

Are there specific fields of healthcare in relation to which telehealth services are currently available, and do they involve the use of proprietary technology or platforms?

There is no specific limit on which services might be provided by way of telehealth and therefore various disciplines may provide these services, including general practice and hospital consultations. The use of telehealth is determined by the hospital or clinic providing the healthcare services, and may be determined by the facilities of the provider, their assessment of the risk and suitably of service, or other relevant factors, and the scope of services currently available in Ireland extends to general practice. This is decided by the providers on a local level and determined by the providers based on the risk profile, facilities and other relevant factors.

In respect of the platforms used to provide these services, the National COVID-19 Telehealth Steering Committee has approved the following solutions, made available during the COVID-19 pandemic, to support communication across the health service:

  • Attend anywhere;
  • Microsoft Teams;
  • Skype for Business;
  • WhatsApp (on an exceptional basis); and
  • Cisco WebEx.

While this guidance issued by the HSE is in response to the COVID-19 pandemic, it is not time-limited and the guidance anticipates that providers may already have telehealth services in place. However, the guidance may in any event provide useful information to those implementing telehealth services. We recommend that HSE guidance should be monitored for changes.

Where telehealth services are provided independently, a variety of platforms and technological options are deployed in order to these services.

Last modified 8 May 2023

Ireland

Ireland

Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?

Services such as local GP clinics may offer videoconference appointments or other telehealth services, and a partial refund for the cost of the appointment may be claimed back in the usual way. The fact that the service was provided virtually does not impact on the ability to reclaim any refund due.

Telehealth services are also provided privately in Ireland, by medical clinics, health insurers and non-insurance businesses. There are several private health insurers who offer telehealth services as part of their package to policy holders and the provision of this service is covered by the premium.

Last modified 8 May 2023

Ireland

Ireland

Do specific privacy and/or data protection laws apply to the provision of telehealth services?

There are no specific privacy or data protections laws in respect of telehealth services, however there are special rules regarding how health data can be processed.

Ireland is governed by the GDPR, which is further implemented by the Data Protection Act 2018. Most of the personal data which is processed in the provision of telehealth services will be health data, which is classed as special category data under GDPR. The GDPR prohibits the processing of special category data unless there is a lawful basis under Article 6, and also an exception for processing under Article 9.

Depending on the nature and purpose of the processing, there are a number of lawful bases under Article 6 and exemptions under Article 9 which may be relevant for the processing of special category data, including health data.

In most circumstances where the processing of special category data takes place, section 36 of the Data Protection Act 2018 requires that additional "suitable and specific measures" are implemented to safeguard the fundamental rights and freedoms of data subjects. These are mainly practical measures, and include things such as specific staff training in relation to the processing activity and having appropriate security measures, logs and access controls on the personal data.

In addition, the Data Protection Commission advises that ensuring the principles of data protection are upheld when processing personal data is key, although there are no derogations from the GDPR in the Data Protection Act 2018 in this respect.

The Data Protection Act 2018 (Health Research) Regulations 2018 provides specific and additional measures required to safeguard information processed for the benefit of health research, such as appropriate consent, governance, and security.

Last modified 8 May 2023

Ireland

Ireland

How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?

Any processing of data must be compliant with the GDPR and the Data Protection Act 2018, and the Data Protection Act 2018 (Health Research) Regulations 2018, if applicable.

A cross-border transfers of personal data will depend on whether the transfer is within or outside the EEA (or another jurisdiction which has been deemed adequate). In circumstances where the transfer is within the EEA or the importing country benefits from an adequacy decision in favour of it, then no specific transfer mechanism is required. The parties may be required to enter into a data processing agreement under Article 28 of the GDPR if there is a controller to processor relationship between them.

In circumstances where there is a cross-border transfer outside of the EEA, and where the importing country does not benefit from an adequacy decision as per Article 45 GDPR, an appropriate transfer mechanism specified in Article 46 must be implemented. These transfer mechanisms include:

  • Binding Corporate Rules (internal mechanism which allows multinational companies to transfer personal data to affiliates located outside of the EEA);
  • Standard Contractual Clauses (EU Model Clauses which contain contractual obligations on exporters and importers of personal data to safeguard the personal data and rights and freedoms of the data subject).

Some cross-border transfers may be impacted by the recent Schrems II decision which has invalidated the EU-US Privacy Shield as a lawful transfer mechanism, and which requires all transfers relying on standard contractual clauses to be risk assessed, and supplemental measures to be implemented where required.

There are several cross-border considerations for any telehealth provider, not limited to data, such as consumer rights to bring claims within their own jurisdiction (Recast Brussels Regulation (Regulation EU 1215/2012)).

Last modified 8 May 2023

Ireland

Ireland

Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?

The use of videoconferencing with telehealth services must comply with the HSE IT policy and standards.

The Health Information and Quality Authority ("HIQA") is responsible for developing standards for information structures and assessing compliance with those standards. The HIQA has published a Guide to the HIQA’s review programme of eHealth services in Ireland in October 2019.

The HIQA has also created national standards which apply to certain treatments, and are compulsory. Further, a number of the HIQA’s publications are recommended best practice for telehealth services, including:

  • Recommendations for the national, community-based ePrescribing programme in Ireland (2018);
  • Recommendations regarding the adoption of SNOMED Clinical Terms as the clinical terminology for Ireland (2014);
  • Recommendations for a Unique Health Identifier for Individuals in Ireland (2009) Guidance;
  • Guidance on Terminology Standards for Ireland (2017);
  • Guidance on Messaging Standards for Ireland (2017); and
  • Overview of Healthcare Interoperability Standards (2013).

The Data Protection Commission has not published any specific guidance on telehealth.

Last modified 8 May 2023

Ireland

Ireland

Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?

There are no current proposals for specific laws, regulations or statutory instruments to regulate the telehealth space in Ireland.

However, the Programme for Government 2020 prepared by the Irish Government, has the delivery of care in a COVID-19 environment as a key priority. This includes learning from the healthcare response during COVID-19, continuing to deploy new technologies (including in relation to telehealth), and identifying innovative ways to support vulnerable groups, as well as new pathways of care. In order to deliver more care in the community, the Government intends to increase access to telemedicine and virtual clinics. Supporting eHealth, ICT, and digital health is another priority for the Irish Government, and the Government has set out a number of ambitious goals for their term. Although there are no legislative proposals set out yet, it is clear that this is a key strategic area for Ireland and there will continue to be significant developments in this field. Research conducted by Behaviour & Attitudes for the Medical Council has shown a five-fold increase in the use of telemedicine since early March 2020 by the Irish public and most of the people surveyed suggest that they will continue to use telemedicine more frequently in the future.

In light of the COVID-19 pandemic, the launch of the Sláintecare Strategic Implementation and Action Plan 2021–2023 and the cyberattack on the HSE, the Health Information and Quality Authority (HIQA) published a position paper on October 2021 proposing some recommendations on the reform of the Irish health information system, including on the provision of frameworks and guidance for the use of health apps and medical devices, the development of a new national health information strategy that will set achievable, time-bound objectives which align with the Sláintecare Objectives, as well as continuous investment and strengthening of a secure health information infrastructure.

Last modified 8 May 2023

Ireland

Ireland

Caoimhe Clarkin

Caoimhe Clarkin

Partner

DLA Piper Ireland

T: +35 3 1436 5483[email protected]
Louise McErlean

Louise McErlean

Associate

DLA Piper Ireland

T: +35 3 1487 6679[email protected]