The Regulatory Checklist for Establishing a Digital Health Startup

Tamar Tavory @ Yigal Arnon & Co.
When establishing a digital health startup, considering the regulatory aspects of the product at the initial stage of development shortens time to market and is crucial for your business strategy.

Why regulation is so important for business strategy
Often, especially in the case of digital health software, there is a thin line between software that meets the definition of medical device (“software as medical device”) and non-regulated software. The regulatory status affects the business model, the time to market and the sales options. Designing software in accordance with the regulatory requirements prevents the need to implement last minute changes, could save time and money and may shorten the sales stage. It could also make any due diligence process easier. Developing or offering software that does not (yet) comply with regulatory requirements can result in severe monetary and timeline implications in various stages of the life cycle of the company. 

When we should take regulatory considerations in account
Regulatory aspects should be examined during the initial planning and development stages, to ascertain that the business model is viable and potentially profitable. Regulatory examination requires knowing the details of your product and its intended use and indications. Changing important particulars of the software can alter the regulatory implications. However, reviewing the regulatory aspects at the time of development may remove or mitigate future obstacles.

Before Regulation – Market Research
Market research and regulation are inseparably linked. As medical practice, workflow, and regulations vary from country to country, market research is necessary to clarify the need for the product in the relevant market.  It is important to understand the system for medical care delivery in that country, its medical insurance arrangements, and the pathway the patient follows in seeking to receive the service or the product. The different commercial ways of market access will usually be intertwined with regulatory considerations, as will be detailed below.

Law & Regulation –  What Should Be Checked
A.    Products Related to a Medical Institution, Medical Advice or Treatment, Therapist-Patient Relations
One must ascertain the applicable regulations concerning medical service, the medical institution, and the medical data that devolves according to the current legislation in the target country (for example, in Israel the Patients' Rights Law, the Ministry of Health's Director General's Directive on Telehealth, and Directives regarding transferring medical data to the cloud or on the secondary use of medical data).

B.    Planning the Product According to Privacy Protection Requirements
Privacy protection is not a privilege, but rather a critical legal requirement, especially in the medical field. Privacy regulation varies according to the country of destination. In Israel one must verify compliance with the Privacy Protection Law and Ordinances on Privacy Protection, as well as additional regulatory instructions.

In the United States, compliance with HIPAA (Health Insurance Portability and Accountability Act) should be examined – to the extent that the product is conducted in the framework of relations between the patient and the medical institution, a health care provider or a supplier who works on their behalf (according to HIPAA’s legal definitions of “covered entities” and “business associate” respectively). On the other hand, if the business model is business to client, the legal requirements might be different. Moreover, in the United States, certain individual states adopted a unique privacy legislation which might affect the product.

In the EU, GDPR covers the minimal standards required for privacy protection and one might also need to consider laws for privacy protection of the member state/s.

C.     Checking the Product Requires Regulatory Authorization (Israel, FDA, CE)
Clearly, the question of whether a product is a medical device, and how it should be classified has meaningful monetary and timeline implications. In the United States and in Europe, software used for medical purposes might meet the definition of software as medical device. This field of software as medical device receives much regulatory attention, and it keeps developing. The FDA has provided considerable guidance regarding medical mobile applications, clinical support decision software and general wellness software. Also, the regulatory authorities have published drafts and guidance regarding the use of artificial intelligence in medical device development.

In addition, the regulatory requirements do not end with receiving approval of the initial product or service. The regulatory requirements affect the product throughout its lifespan, and include adherence to various quality control standards, design control measures, risk assessment and risk management approach, product adjustments requirements, labelling and packaging issues and so on. 

D.    When the Product Includes an App, Website, Interface with the Patient
The Legal Aspects Must Be Arranged – terms of use, privacy policy and informed consent forms as applicable and required. In addition, in certain cases it will be necessary to verify compliance with the Consumer Protection Law and with the regulatory limitations of advertising in certain cases (special attention is needed if the product or service in question relates to medical professionals or claims regarding the medical virtues of the product.) In certain cases, adjustments, may be needed to comply with relevant People with Disabilities legislation.

Checking Reimbursement/Insurance Coverage
The insurance arrangements in the market you are targeting influence the business strategy. In the United States, insurance arrangement is called "reimbursement.” The regulatory approval is a required but not sufficient condition for reimbursement, and the clinical data required for reimbursement are different. Reimbursement affects not only the possibility of selling the product, but also its price and scope. This is a unique topic which requires prior consultation with experts to ensure rapid entrance to the market.

What Else Needs to be Considered. Regulation and business decisions regarding regulation might have an impact on tax issues (when focusing on a particular target market or moving your R&D) and have different implications on your IP strategy (for example, claiming you are regulatory similar to other devices in order to receive regulatory approval may expose you to IP breach claims).

The bottom line: If you are a digital health startup, regulatory considerations are crucial to your business success.


Tamar Tavory, Adv. 

Special Counsel, Digital Health

Yigal Arnon & Co Law Firm

Contact us at:

Corona Corner