< Back

Share |

Managing IT projects in the healthcare sector - a European perspective

The exponential growth in Connected Health and leaps forward in healthcare technology are not just affecting start ups.

July 2015

The hospital and healthcare market is changing radically all over Europe with large healthcare groups and specialist providers emerging in some Member States and considerable strategic US investments in the European healthcare market.  One of the consequences is a pressing need for healthcare service providers to update their IT, whether by centralising or outsourcing core IT services.

Dr coat on rackMany of the challenges that hospitals and other healthcare service providers face in this context do not significantly differ from those in other industries when essential structural decisions are made. However, a number of very specific commercial and legal characteristics of this market require particular attention and a sector-specific approach which must take into account (at least) the following:

  • Privacy: Data protection issues are hugely important in the healthcare sector but in addition to European Member State data protection law, many Member States have additional sector-specific regulation Some examples:
    • Germany: In Germany, different Federal State hospital Acts exist which usually cover the use of outsourced data-related services and the handling of patient data. Such regulations apply to state-owned and private hospitals but not to hospitals run by religious institutions which are subject to a separate internal regime. In addition, there are specific further regulations for certain kinds of data, in particular for genetic diagnostic data. Further, the right to privacy is backed by obligations of professional secrecy (violations of which constitute criminal acts). The result is a difficult regulatory environment with a number of different stakeholders and this has resulted in outsourcing in the medical sector being extremely underdeveloped in Germany compared with other jurisdictions.
    • Austria: In addition to the Austrian Data Protection Act (Datenschutzgesetz), sector specific legislation, for example the Federal Law about Hospitals and Sanatoriums (Krankenanstalten- und Kuranstaltengesetz), State Laws on Hospitals (e.g. NÖ Krankenanstaltengesetz or the Wiener Krankenanstaltengesetz), the Federal Law on Genetic Engineering (Gentechnikgesetz), or the Law and the Ordinance on Health Telematics (Gesundheitstelematikgesetz und -verordnung) have to be complied with in relation to IT projects in the healthcare sector.  Again, this creates a challenging legal environment.
    • The Netherlands: In the Netherlands, in addition to the Dutch Data Protection Act (Wet bescherming persoonsgegevens), the processing of health data and medical secrecy is governed by, among others, the Medical Treatment Contract Act (Wet geneeskundige behandelingsovereenkomst) and more specific legislation like the Special Admission to Psychiatric Hospitals Act (Wet bijzondere opnemingen in psychiatrische ziekenhuizen). Exchange of personal (health) data through a nationwide Electronic Health Record System is only allowed upon explicit data subject (the patient) consent. In 2015, the Dutch Data Protection Authority has had a strong focus on the processing of health data by healthcare institutions and individuals and, in particular, the processing of Connected Health data, for example data collected through fitness trackers or smartphone applications.
  • medicine labelRisk Evaluation and Allocation: IT-supported decisions in patient treatment can have an immediate effect on a patient's life and health and can cause irreversible damage if the IT goes wrong. Examples of this might be the display of the wrong medication or the inability to correctly label an important organ donation due to the unavailability of a network printer. To deal with these risks, it is important to develop specific technical strategies and to use sector specific contractual clauses to ensure appropriate risk management (e.g. specific SLA terms etc.).
  • Transition management: transition management is of particular importance when replacing an old IT solution with a new environment in the healthcare sector.  It is vital to secure an uninterrupted availability of systems closely connected to patient treatment, and to have fall-back solutions in case a project fails or is delayed, including appropriate licences and maintenance agreements for the outgoing system.
  • Procurement law: public bodies or private companies (partly) owned by public bodies in many countries have to follow public procurement rules with strict procedural requirements. This means for affected facilities that an (often time-consuming) contract award procedure has to be conducted prior to choosing a specific partner. This can cause additional time pressure and significant delays which should be factored in, as far as possible, from the outset.
  • Regulatory: last but not least, various additional regulatory requirements exist that, depending on the project, may have to be taken into account. For example, software may be classified as a "medical device" and fall under the respective regulation with its specific requirements. Moreover, there may be specific documentation requirements which need to be met in order to invoice services to private and public health insurers.

    Increasing efforts by the European Union could lead to new demands on a pan-European level and on a national level, different Member State initiatives are currently underway to regulate and incentivise a closer connection between different IT systems in the healthcare sector. For example, in Germany a new e-health law is expected to be enacted in 2015.

    In Austria, at present, a large-scale IT project introducing electronic health records (EHR) implements an information system which - at any time and place - provides hospitals, physicians, pharmacies and care facilities with access to health records (including e.g. hospital discharge reports and medication) of patients that have not opted out, while safeguarding patients' privacy. As a first step, the hospitals of Vienna and Styria will implement the system this year. Further roll-out will then integrate the remaining hospitals, implement e-medication in a specific area, and extend the system to other healthcare service providers.

security key on keyboardIn the Netherlands a similar effort to introduce an EHR system was initiated by the Dutch Ministry of Health, Welfare and Sport in 2008. It was then cancelled following a unanimous decision by the Senate of the Dutch Parliament in 2011 as (among other issues) the data security of the EHR system could not be guaranteed. Access to confidential health information by health practitioners could not be limited to the data needed for a particular purpose. All health data was accessible for all health practitioners, regardless of a medical treatment contract. In 2013 the EHR system was rebooted as a sector initiative, providing more adequate data security measures. In contrast to the 2008 system, the new system is based on explicit patient consent instead of implied consent.

Just taking the example of three European jurisdictions demonstrates not only the regulatory and practical issues surrounding Health Tech and its use by healthcare service providers, it also highlights the fragmented nature of the regulatory landscape across Europe.  This is a particular challenge to large investors seeking to develop a business across more than one Member State.

If you have any questions on this article please contact us.

Stefan Alich


Frederick Leentfaar


Martin Prohaska


Carsten Schulz


Our lawyers in Germany, Austria and the Netherlands, highlight the complex sector-specific issues in their jurisdictions.

"A number of very specific commercial and legal characteristics of this market require particular attention and a sector-specific approach."