The metaverse in healthcare: What are the legal implications?

For some time now, there has been talk of the metaverse as a tool with great potential for increasing opportunities for treatment, research, and training in healthcare.

Imagine a virtual reality where a physician can “meet” a patient or other physicians and where data are exchanged in real time, scenarios are simulated, and virtual and immersive tools allow physicians all over the world to simulate surgeries to prepare to operate—or even to operate remotely. Imagine virtual rooms where physicians and medical representatives can convene. The health-sector possibilities are seemingly endless.

Naturally, all of this raises legal questions about what kind of tools will manage and regulate the metaverse in healthcare. Obviously, there is not yet a firm answer to this question. As is always the case when the law follows in the wake of science and technology, specific issues are emerging and answers and solutions are being sought. This often happens in fits and starts, or with two steps forward and one step back. It’s all part of a process of striking the right balance between often opposing interests and needs—a process that requires time and patience, as the recent ChatGPT privacy affair demonstrated.

Purely legal issues surrounding the metaverse in healthcare obviously will differ depending on the purpose of each specific tool. The metaverse is a technology, and therefore “neutral” from a legal standpoint. What is relevant for assessing legal implications is what is done in the metaverse and how it is done.

Metaverse for healing

When we speak of using the metaverse to treat disease, we usually are talking about software and apps designed to treat a specific pathology, mitigate its symptoms, support rehabilitation, and so on. In other words, these are software/apps that fall under the definition of medical devices under Regulation (EU) 2017/745 (MDR), so they must be classified as medical devices and therefore are subject to medical-device certification and all the safety and quality requirements in the MDR.

However, not all software used in healthcare can be categorized as a medical device. It is essential that the purpose of the software be one of the purposes expressly listed by the MDR, as confirmed by case law from the Court of Justice of the European Union (judgment of December 7, 2017, Case C-329/16) and an Italian court (TAR (Regional Administrative Tribunal) of Milan, judgment no. 452 filed on February 23, 2022). A piece of software is a medical device when it is “intended by its manufacturer to be used specifically” for one or more of the medical purposes set out in the definition of medical device; this is not the case “for software that, while intended for use in a medical context, has the sole purpose of archiving, collecting, and transmitting data.” The latter type of software may be used in a medical context, but it is not a medical device.

Metaverse for communication

The metaverse can also provide a more efficient mode for doctor-patient communication. For example, it can be used for telehealth appointments. In this case, from a legal standpoint the metaverse is similar to a telephone or video call used to transmit information, medical advice, and prescriptions. It has no medical function and is not considered a medical device.

The TAR decision cited above makes clear the distinction between medical-device software and software merely for communication and data storage. The case concerned a hospital’s rental of electromedical equipment needed to read patient parameters (oximeters and electrocardiographs)—which obviously required CE marking—and services connected to the storage and management of patient data, monitoring data, and data relating to therapy and clinical decisions—which did not require CE certification. The court confirmed that the contracting authority was correct in stating that a platform that merely classifies and stores health data acquired via medical devices, creating a database that can then be consulted while providing telehealth services, cannot be classified as a medical device.

When software cannot be classified as a medical device, the most important legal issue is probably security for virtual data transfer and storage (which obviously also is an issue for software classified as a medical device). In addition to the general privacy law, the telemedicine law is key here. That law applies based on the specific telemedicine tool implemented and sets minimum security requirements for platforms used for related services.

The Ministerial Decree of September 21, 2022 approved guidelines for telemedicine services (including functional requirements and service levels) and provides that the production environments for telemedicine platforms must be provided on the “cloud” according to the SaaS (Software as a Service) or PaaS (Platform as a Service) model and that (i) data and users must be properly separated and isolated at the application level, using appropriate authentication and authorization mechanisms required for the information to be visible; (ii) depending on the type of data that will be produced, acquired, and exchanged by the regional telemedicine infrastructure (IRT), the level of information assets may be labeled critical, making it necessary to orient the design of the IRT toward one of the following models: encrypted public cloud (in national territory); private/hybrid “licensed” cloud (in national territory); or private cloud (in national territory).

Metaverse for training

The metaverse can also be used to train and educate surgeons and other doctors. For instance, a virtual space can be created where surgeons can train to perform operations or prepare for the operating room by simulating surgery after entering patient parameters into the platform. Here again, the function of the virtual reality tool in question should be considered to determine whether or not it should be classified as a medical device. Some tools will be intended only for training physicians, while others will have more direct impact on patient care.

Alternatively, for other forms of training, doctors and medical representatives may meet in dedicated virtual spaces. This is a matter of understanding how the rules on medical-scientific information can be applied by adapting them to this new modality. For example, there might be discussion of how to oversee communication of the “avatar” information provider, or how to implement limits on the number of visits when a virtual room is always accessible. These are just a few examples of the many issues that may arise.

Metaverse and artificial intelligence

The combination of the metaverse and artificial intelligence, which enhances the potential of all the tools mentioned above, raises further issues related to personal data protection and use of these tools to drive this technology. This is not the place for a full discussion of those issues, but clearly the current Italian legislation on secondary use of personal data collected for different purposes is very restrictive (due to its distinctly “consent-centric” approach) and may block development of new technologies based on artificial intelligence.

So, we are waiting to see how the metaverse will play out in the world of healthcare, as well as whether and how current regulations will change to face the new challenges ahead.