There is no getting around it (anymore): AI is hot. Artificial Intelligence is long past its infancy and has evolved from small-scale hobbyism to full-fledged application within all sorts of facets of business. Use of AI can optimize service quality, increase productivity and save costs. Healthcare organizations are also increasingly exploring the use of AI. But what should you pay attention to? Using a brief example, we discuss the main points to consider when purchasing AI.
Artificial Intelligence (or: AI) is not a well-defined legal concept. In short, you could describe AI as the concept where computers analyze large amounts of data and exhibit "intelligent" behavior based on it. For example, consider a tool that can predict with a high degree of accuracy which patients will show up for a consultation, or that supports doctors in analyzing MRI scans.
Within the healthcare domain, the use of AI can be very attractive. Suppose your hospital is approached by a vendor that specializes in image analysis software tools. The supplier would like to gain access to scans of patients diagnosed with skin cancer in order to develop a software tool that can recognize skin cancer at an early stage. You would then receive a substantial discount on its purchase cost. Recognizable? Then make sure you read through the tips below before negotiating with the vendor.
Before engaging with the vendor, it is important to get a clear picture of the AI solution, the parties involved and the risks. Therefore, be sure to clarify the questions below in advance:
What kind of AI do I purchase, and what is the cost?
What data is needed, who will be granted access to it and for how long?
What are the legally relevant aspects?
What risks am I running, and can I possibly mitigate them contractually?
The supplier will be your first point of contact for answering questions 1 & 2. Make sure you have a good understanding of what you are being offered and do not hesitate to ask questions. It is also wise to get an early understanding of the cost picture and verify your assumptions: this will avoid unpleasant surprises.
AI and big data go hand in hand. To work properly, the tool needs enormous amounts of searchable data. Therefore, make sure that you can and may actually provide that data and make sure that access to that data is properly secured. Ask critically about the possible use of data for other purposes. Experience shows that suppliers prefer to reserve the right to (continue to) use the data to train their algorithms and thus improve their product. For some vendors, this is even a non-negotiable point. Especially in healthcare, where the data will in many cases qualify as special personal data, this is a potential breaking point and certainly not something you want to find out only in the contract phase.
There are no specific provisions dealing with the procurement or application of AI within the healthcare domain. (1) In principle, therefore, we fall back on general civil law.
Provisions regarding (product) liability and intellectual property rights are important when purchasing AI.
In addition, additional specific legal provisions will need to be assessed on a case-by-case basis. For example, AI uses large amounts of data, so privacy issues will be important (see Part 2 of this blog post).
AI solutions within the healthcare domain may qualify as a medical device, which means there are strict(er) requirements for their use. This is because on May 26, 2021, the EU Medical Device Regulation (MDR) entered into force. By adjusting the definition of "medical device," more software applications will qualify as medical devices.
The Medical Treatment Agreement Act (WGBO) and the Care Quality, Complaints and Disputes Act (Wkkgz) may also entail additional obligations. The mandatory provisions of Article 7:446 et seq. of the Dutch Civil Code that relate to the medical treatment agreement may also be important.
When you have a good idea of the legal framework, you can also get a good idea of the risks involved in purchasing and applying the tool. Ultimately, the risks will be covered in a thorough contract. This includes not only the division of liability (including the necessary indemnifications, for example for security breaches, IP infringements or data leaks), but also any division of ownership, audit rights, a solid SLA and, where necessary, an exit clause.
In short: The acquisition of AI applications can also be of great value within the healthcare domain. It is important to identify the (legal) risks at an early stage. Consider not only specific legal obligations (AVG, MDR), but also a thorough risk allocation in the contract.
Footnotes
(1) However, the European Commission has now established Guidelines that reliable AI solutions should meet, see: https://ec.europa.eu/digital-single-market/en/news/ethics-guidelines-trustworthy-ai.
