Healthcare and online platforms: key regulations to consider

For some years now, the healthcare market has included not only traditional players such as hospitals, clinics, healthcare professionals and pharmaceutical and/or biomedical companies, but also so-called 'online platforms'. These are providers or suppliers of online services that store, manage and disseminate information at the request of the recipients of the services provided.

In this sense, the list of platforms includes e-commerce and marketplaces, social media, app stores and websites. These entities are becoming increasingly important players in the health sector, with an offer and a user focus aimed at facilitating the (usually immediate or rapid) use of a wide range of health services and goods. For example, there are platforms that put users in contact with a specific doctor or that allow them to purchase health services online, even on behalf of third parties.

What are the main regulations governing online platforms in the healthcare sector?

Certainly Regulation (EU) 2022/2065, better known as the Digital Service Act (DSA), which all online providers have to comply with since 17 February 2024.

The DSA aims to harmonise the security provisions of online services and reduce the circulation of illegal content through increased accountability and various transparency obligations, such as disclosure of the reasons for taking down or moderating content, including in relation to the role, size, impact or online visibility and the specific activities of platforms.

In this regard, it is worth noting that the DSA provides for a number of additional obligations on providers of online platforms that enable the conclusion of distance contracts between users and traders, such as their traceability.

It is precisely the conclusion of specific contracts at a distance that could involve the payment of a specific service or good (including health-related ones) and thus draw attention to another European discipline, namely Directive (EU) 2015/2366, the so-called PSD2, which defines and standardises the rules on payment services.

PSD2 lays down precise rules for payment initiation services and account information services. These were previously considered to be mere technical service providers separate from payment services, but are now considered Payment Service Providers.

Therefore, it goes without saying that any e-commerce service provider must be aware of the possible application of the Directive to the payment transactions made through the site or app in question.

It should be noted that Recital 11 of the PS2 excludes from the scope of the Directive e-commerce platforms that are ‘mere’ intermediaries on behalf of individual buyers and sellers, with no real scope for negotiating or concluding the sale or purchase of goods or services. However, the actual lack of any real degree of control or intervention in the online negotiation and transaction may be the most difficult issue to demonstrate in order not to be subject to this Directive.

While the provisions mentioned so far have been created specifically to regulate online aspects, let us now consider some rules that apply to all market players engaged in certain activities, regardless of their technological nature.

In this regard, one cannot fail to mention EU Reg. 2016/679 (GDPR), which applies whenever there is a processing of personal data. There is no doubt that an online platform can process the personal data of users interested in accessing the services it offers, such as bookings, requests for information, or even the purchase of specific goods.

In this sense, the provisions of the GDPR will necessarily have to be applied to ensure adequate protection of personal data, especially since platforms operating in the healthcare sector may also process health-related data, and therefore require a strong security system that is data breach-proof.

Not only that. Given the online nature of the service providers in question, specific obligations under the GDPR must be implemented and, in our experience, very often they are not carried out or are carried out late, potentially exposing the data controller to the risk of sanctions. In this sense, consider the obligation to carry out a prior data protection impact assessment (DPIA) for a processing operation that poses a high risk to data subjects' rights, which is ignored by many providers. For example, Article 35 GDPR requires an impact assessment in cases of large-scale processing of special categories of personal data, and certain processing of health-related data by apps or online sites falls within this scope.

Finally, we conclude this brief overview of the legal requirements for implementing an online platform with a specific reference to provisions regarding advertising, particularly those relating to healthcare advertising.

One of the regulations that applies to online platforms is Legislative Decree No. 206/2005, also known as the Consumer Code. This Code protects consumers from unfair business practices, including advertising. Although advertising activities are generally subject to the restrictions and prohibitions imposed by the Consumer Code, advertising in the healthcare sector, such as for outpatient facilities, healthcare professionals, or health-related goods and services, is subject to specific industry regulations.

Consider, for example, the advertising of private healthcare facilities and healthcare professionals.

Advertising in the healthcare industry is subject to specific constraints, including those outlined in Art. 1 para 525, Law 145/2018. This law prohibits the use of attractive and suggestive elements, such as discounts and promotions that may encourage the improper use of healthcare treatments.

Although healthcare providers are directly liable for their advertising, online platforms that showcase these providers or offer booking and purchasing services on their behalf cannot ignore the restrictions imposed on their clients. Indeed, contractual relationships between clients and online platforms increasingly include obligations for providers to comply with healthcare advertising. Violating these obligations may result in a breach of contract by the healthcare provider and its associated consequences.

In conclusion, a comprehensive examination of all aspects, of which the above are only a minimal part, is crucial for the proper implementation of an online platform, especially in a specialized industry such as healthcare.