Introduction

Smartphones, wearable devices, telemedicine platforms, artificial intelligence software, internet applications and other digital health technologies are advancing and transforming disease diagnosis, therapy and other medical practices by physicians, direct-to-consumer  services for better health and well-being, and other healthcare services. A telehealth service is an example of the healthcare services that have become available through the development and use of the digital health technologies. 

Telehealth services involve complex and evolving regulatory considerations and challenges in Japan. Although not intended to be a comprehensive guide, this article will highlight the regulatory issues that non-physician service providers need to be aware of as they seek to provide telehealth services in Japan.

License and approval

Only licensed physicians are qualified and permitted to engage in medical practice

Article 17 of the Medical Practitioners Act of Japan provides that only licensed physicians are qualified and permitted to engage in a "medical practice". A non-physician telehealth service provider shall therefore ensure that its service does not constitute a "medical practice". 

Court precedents and the government guidelines provide that "medical practice" is generally interpreted as any activity that would potentially or actually be harmful to humans unless carried out with the medical judgment and techniques of licensed physicians. A key factor in determining whether an activity constitutes a "medical practice" is whether medical judgments and techniques are involved. However, whether an activity involves "medical judgments and techniques" is not clearly delineated and rather remains to be determined on a case-by-case basis through review and analysis of specific facts.

The "Guidelines of Appropriate Implementation of Telemedicine"  (MHLW Telemedicine Guidelines) might be useful for determining what amounts to "medical practice" in a particular case. The MHLW Telemedicine Guidelines provide that a "general telehealth consultation service" for telehealth services is not considered telemedicine as a "medical practice", and therefore may be provided by someone other than licensed physicians. A "general telehealth consultation service" permitted therein is limited only to general consulting services through a delivery of general medical literature or a general encouragement of a physician visit, where a suggestion of any disease based on conditions unique to a subject, a diagnosis, or any other activity involving medical judgments shall be excluded and prohibited as telemedicine (i.e., "medical practice").

SaMD is required to be approved or certified to be marketed in Japan

What is SaMD

If software which is marketed independently from a tangible device is considered to be software as a medical device (SaMD), the software is required to be approved or certified under the name of a holder of an applicable marketing authorization as a business license in order to be marketed in Japan under Articles 23-2(1) and 23-2-5(1)  of the Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices (Act No. 145 of 1960, as amended) (PMD Act).  A telehealth service provider shall therefore review whether or not software marketed in relation to its service is considered to be SaMD.

The "Guidelines of Criteria for Judging SaMD"  (MHLW SaMD Guidelines) provide a fundamental policy and criteria for determining whether software shall be deemed as either SaMD or non-SaMD. The purpose of use and a degree of risk are two basic elements for the judgment, where SaMD is generally defined as software (a) which is to be used for diagnosis, therapy, or prevention of disease or for any other purposes as a medical device and (b) a malfunction, or a misuse by misled patients or users, of which is likely to affect life and health of the patients or users. Under this definition, a software to be used for the following purposes is excluded from SaMD: patient education; in-hospital operating support or maintenance; or personal health or exercise check and management by patients/users. Software that executes processing equal with a Class I medical device (tangible device) is also excluded from SaMD due to the low degree of risk to affect the life and health of the patients or users. 

The MHLW SaMD Guidelines including its appendixes and exhibits, as well as a list of precedents of the MHLW's determinations as to SaMD or non-SaMD status that is regularly updated on the MHLW SaMD website, are helpful to conduct a specific review on whether a software shall be considered to be SaMD. Even with reference to such a list of the precedents and the Guidelines, it might still be difficult to conduct the review of the degree of risk–mostly the review of whether software executes processing equal with a Class I medical device (i.e., non-SaMD) or more to be recognized as an upper Class (i.e., SaMD). Consultation with the Compliance and Narcotics Division in the Pharmaceutical Safety and Environmental Health Bureau of the MHLW, which centrally accepts and manages request for consultations on the review, would be a possible pathway to complete the review in such difficult situations. It would then be important for an applicant to prepare and show materials that may justify its own view on whether a software shall be considered to be SaMD.

Apart from the foregoing issue on the scope of SaMD, there are various regulatory issues on SaMD outstanding and subject to ongoing discussions. Regulatory mechanisms to develop innovative SaMDs in Japan used to trail developments in jurisdictions, but the authorities and the players in Japan's healthcare industry have been speeding up discussion on various relevant topics such as fast track approval systems for innovative software, digital therapeutics, AI and machine learning, and reimbursement. A telehealth service provider who finds a possibility of marketing SaMD products in Japan might have to keep following the progress in the discussion.

Options for foreign manufacturers

Anyone who would like to market a SaMD as its own brand in Japan (i.e., under a marketing authorization approval or certificate in its own name) is generally required to obtain an applicable marketing authorization license as a business license by fulfilling certain necessary criteria provided by the PMD Act and relevant government ordinances and notices. Such criteria includes, without limitation, no causes for disqualification, conformity with the quality management system requirement, conformity with the good vigilance practice requirement, and conformity with certain personnel requirements (e.g., engaging a qualified general compliance manager for marketing). 

It is sometimes difficult for a newly established Japanese subsidiary of a foreign SaMD manufacturer to fulfil all the criteria to obtain a marketing authorization license as a business license. In that case, the foreign SaMD manufacturer might consider one of the following options. Licensing to a Japanese medical device company who holds an applicable marketing authorization license might be one of the options, though such device companies tend to prefer to market a SaMD under its own brand (i.e., under a marketing authorization approval or certificate in its own name). Another option might be a Designated Marketing Authorization Holder (D-MAH) scheme where a foreign SaMD manufacturer is allowed to hold a marketing authorization approval or certificate for its SaMD in its own name (Special Approval for Foreign-manufactured Medical Devices), provided that it designates and engages a marketing authorization license holder for its SaMD and complies with obligations and responsibilities imposed on a holder of Special Approval for Foreign-manufactured Medical Devices by the PMD Act and relevant government ordinances and notices. Each of the options has pros and cons from both regulatory and commercial perspectives that would need to be considered by a telehealth service provider who finds there is a possibility that its service/software may be considered a SaMD.

Telecommunications service provider is required to be filed with authority

If a service is considered to be "telecommunications" business, a filing is required (or, under certain circumstances, registered) with the applicable authority under Article 16(1) (or, for a case to be registered, Article 9) of the Telecommunications Business Act. A telehealth service provider shall therefore review whether its service, in whole or part, is considered to be a "telecommunications" business or not.

Generally speaking, "telecommunications" business broadly covers any business which (a) mediates communications between third-party users by use of telecommunications facilities, (b) installs and makes available telecommunications facilities for communications including communications between the service provider itself and a third-party user, or (c) provides certain designated domain name related services.  It might be unlikely that a telehealth service provider itself installs and serves telecommunications facilities (see [b] above) or provides domain name related services (see [c] above), but on the other hand it is highly possibly if it includes a service which mediates communications between third-party users by use of telecommunications facilities (see [a] above) such as message or closed-chat applications or functions for communications between third-party users. In that case, the service is considered to be "telecommunications" business and the service provider is required to be filed with an applicable local telecommunications bureau.

Penalties

As discussed above, it is sometimes hard to determine whether a service is subject to license/approval requirements, but a telehealth service provider shall find the issue critical since a violation of the license/approval requirements (i.e., doing business without obtaining applicable licenses/approvals) may be punishable as follows:   

• Anyone who violates Article 17 of the Medical Practitioners Act shall be punished by imprisonment for not more than three years or a fine of not more than 1 million yen, or both. 

• Anyone who violates Articles 23-2(1) or 23-2-5(1) of the PMD Act shall be punished by imprisonment for not more than three years or a fine of not more than 3 million yen, or both.  

• Anyone who violates Article 16(1) of the Telecommunications Business Act shall be punished by imprisonment for not more than six months or a fine of not more than 500,000 yen.

Responsibilities of Service Provider

Responsibilities of telemedicine platform providers

As discussed above, only licensed physicians are qualified and permitted to engage in telemedicine as a "medical practice". The MHLW Telemedicine Guidelines require physicians engaging in telemedicine to comply with obligations provided therein, and also require a provider of a telemedicine platform to establish and provide a secure platform and to fulfil accountability about the platform (i.e., potential security risks) for the physicians.  

In order to be secured as the MHLW Telemedicine Guidelines require, the platform shall have certain security systems which include, without limitation, access management through multifactor authentication, establishment of measures to prevent an unauthorized access and an improper transfer or reuse of a domain and to verify personal identification, access log monitoring and management, regular software update alert function, and communication encoding with a reliable server certification.

If a telemedicine platform is operated on a medical information system in a way that is likely to affect the medical information system, the provider of the telemedicine platform shall further comply with the "Guidelines of Security Management on Medical Information System (Version 5.1)"  and the "Guidelines of Security Management for Providers of Medical Information System/Services".  The provider shall ensure that a server storing certain statutorily stipulated medical information is installed in a way that makes it accessible to local law enforcement, the MHLW, and any other applicable authorities for review and that the provider assumes responsibility for any extraordinary risks, establishes a security system to prevent the medical information system from being hacked, and has the conformity of the telemedicine platform to certain requirements under the foregoing security Guidelines certified by an appropriate third-party certification body.

Responsibilities of SaMD providers

A holder of a marketing authorization license for SaMD shall comply with the obligations and responsibilities imposed on it by the PMD Act and relevant government ordinances and notices. Such obligations and responsibilities include, without limitation, manufacturing and quality management in compliance with the quality management system regulations, post-marketing operation in compliance with the good vigilance practice regulations, prevention of harm, reporting of side effects, and reporting of recalls. Some of the responsibilities apply to a holder of Special Approval for Foreign-manufactured Medical Devices under the D-MAH scheme. 

In terms of cybersecurity, "Cybersecurity Guidance for Medical Device"  requires ensuring medical device cybersecurity for the purpose of avoiding harm to medical device users and shows certain guidance on how to manage cyber risks. 

Responsibilities of Non-SaMD providers

If software is considered to be non-SaMD, neither marketing authorization license nor approval under the PMD Act is required for the software. A provider of such non-SaMD software shall nonetheless take into consideration its obligations to comply with the PMD Act. It is especially required to not mislead consumers into recognizing a non-SaMD product as a medical device. Any such misleading claims are likely to violate Article 68 of the PMD Act, which prohibits anyone from advertising the name, manufacturing process, efficacy, effects, or performance of unapproved or uncertified medical devices.  Anyone in violation of Article 68 of the PMD Act shall be punished by imprisonment for not more than two years or a fine of not more than 2 million yen, or both. 

There are other advertising or consumer-protection regulations than the foregoing regulation under the PMD Act. These regulations include, without limitation, regulations under the Act against Unjustifiable Premiums and Misleading Representations, the Act against Unfair Competition, and the Act on Specified Commercial Transactions. While the details of these regulations are beyond the scope of this quick guide, each of them likely has to be carefully reviewed depending on the types of products/services to be provided, the structure of planned business, and any other relevant factors.

Responsibilities of telecommunications service providers

The Telecommunications Business Act imposes certain obligations and responsibilities on a telecommunications service provider. If the service of a telehealth service provider is considered telecommunications business, it shall file (or register, as the case may be) as discussed above and comply with stipulated obligations and responsibilities, a summary of which is as follows: 

General obligations: no censorship; protection of the privacy of communications; fair and equal access by users; appropriate management of emergency situations.

Obligations to protect users: notification and documentation of the terms of use; notification of the cessation or discontinuance of service; appropriate management of complaints; prohibitions of certain behaviours disadvantageous to users; appropriate monitoring of contractors.   

Reporting and inspection: prompt reporting of the suspension of service; the divulgation of the privacy of communications or any other critical troubles or accidents in communication; obedience of the government order of business improvement; obedience of the government order of reporting or access and inspection.

As for recent developments, a bill to amend the Telecommunications Business Act will likely be enacted soon. The bill generally aims to: (a) secure stable broadband infrastructure; (b) secure a safe and reliable telecommunications network; and (c) establish a fair and competitive environment. The foregoing (b) might involve a telehealth service provider, depending on the situation including the type and scale of service, since it requires certain service providers to appropriately manage certain information of users by establishing governance mechanisms and notification to users of the transfer of their information to any third party, unless statutorily exempted. A telehealth service provider who finds a possibility of providing a telecommunications service in Japan might have to keep following the progress in the discussion.  

Privacy and data protection 

A telehealth service often involves collection and handling of personal data such that the provider of the service must comply with the Act on the Protection of Personal Information ("APPI").  The following is a rough outline of the main requirements under the APPI.  Determination of what specific requirements may apply in a particular case would depend on the types of products/services to be provided, the structure of planned business, and any other relevant factors. 

• Appropriate collection and use of Personal Information: Anyone who uses database of certain personally identifiable information of living individuals ("Personal Information") for business shall identify and publish or notify the purpose of the use prior to or immediately after collecting the Personal Information, appropriately acquire and use it, and limit the use only to the extent required to accomplish the purpose of the use unless consented to by the subject or statutorily exempted.  
• Regulations on Personal Data
  • Anyone who puts and maintains Personal Information in a searchable database (Personal Data) shall ensure the accuracy and security of the Personal Data and appropriately educate and monitor employees and outsourcees who manage the Personal Data for security.  
  • Domestic transfer of Personal Data requires prior consent by the subject unless the transfer is statutorily mandated or allowed, is made to certain related parties (a data management outsourcee, a business transferee, or a joint user of data), or is made in accordance with certain qualified opt-out mechanisms. 
  • In general, cross-border transfer of Personal Data is more stringently regulated than the domestic transfer, which requires a special prior consent by the subject who is required to be fully informed of certain items related to how its data is protected in such foreign jurisdiction, unless the transfer is statutorily mandated or allowed (unlike a domestic transfer, neither the related party transfer exception nor the opt-out mechanism is available). However, certain adequate transfer to a foreign third party that has certain appropriate system is regulated similarly to a domestic transfer, provided that the transferor is required to continually ensure the data is secured at the transferee and to inform the data subject of certain items related to how its data is protected in such foreign jurisdiction at its request. 
  • A transferor and transferee of Personal Data shall record the transfer, respectively, unless statutorily or in interpretation exempted. The record is generally required to be disclosed to the data subject at its request. 
• Telehealth services are likely to involve patient records and medical information, which are more stringently regulated than ordinary Personal Information/Data (Sensitive Personal Information/Data). In summary, an acquisition of Sensitive Personal Information requires a prior consent by the subject, the opt-out transfer mechanism is not available for Sensitive Personal Data, and a breach of Sensitive Personal Data per se generates the reporting obligation (see below).
• Rights of data subjects: anyone who has authority to disclose, correct, cease to use or transfer to a third party, or remove Personal Data shall publish certain items including the purpose of use of such Personal Data (Owned Personal Data) and notify the data subject of the purpose of the use at its request, and also manage the data subject’s justifiable request to disclose, correct, cease to use or transfer to a third party, or remove the applicable Owned Personal Data in accordance with the APPI. 
• Obligations to report data breach: certain troubles of Personal Data (e.g., a breach of Personal Data related to more than 1,000 individuals, a breach of Sensitive Personal Data) are required to be reported to the authority and notified to the data subject in accordance with the APPI.  
• Other categories of information: information created through having Personal Information anonymized or pseudonymised in accordance with each applicable criteria provided in the APPI may be released from certain regulations under the APPI.  Information which might not identify an individual (e.g., browsing history data alone) is not considered or regulated as Personal Information, provided a transfer of such information where the transferee may identify an individual in combination with other information the transferee has requires a consent of the subject.  
• Extra-territorial application: from the cross-border perspective, it is important to recognize that even an entity located outside Japan is subject to APPI if it uses any Personal Information of individuals located in Japan in relation to services or product supply to anyone located in Japan.

Conclusion

Telehealth in Japan, like traditional health care, is governed by various regulations that are complicated and continuously changing. Non-physician telehealth service providers need to understand how to navigate these complex regulations at every stage of their business development, and legal representation that is nuanced and skilled at understanding the practical application of these regulations is critical to achieving success in the Japanese marketplace.

_{This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.}

References

1. Issued by the Ministry of Health, Welfare and Labour (MHLW) in March 2018, and amended by the MHLW as of January 28, 2022 (Notice No. 0128-2).
2. There is an exception under the D-MAH system (Article 23-2-17) (to be discussed later below).
3. There is also a manufacturing registration and distribution license/filing required to be held, separately from the marketing authorization license, for designing a SaMD and for selling a SaMD to customers, respectively.
4. Issued by the Pharmaceutical Safety and Environmental Health Bureau in the MHLW as of March 31, 2021 (Notice No. 0331-1 (Medical Device Evaluation Division) / 0331-15 (Compliance and Narcotics Division)).
5. The bill to amend the Telecommunications Business Act (to be discussed later below) intends to expand (c), adding certain designated search services and SNS services, respectively.
6. Article 31(1)(i) of the Medical Practitioners Act.
7. Articles 84(iv), 84(v), 90(i) (penalty against employer/principal–a fine of not more than 100 million yen (corporate employer/principal)) and 90(ii) (penalty against employer/principal–a fine of not more than 3 million yen) of the PMD Act.
8. Articles 185(i) and 190(ii) (penalty against employer/principal–a fine of not more than 500,000 yen) of the Telecommunications Business Act.
9. Issued by the MHLW as of January 29, 2021 (Notice No. 0129-1).
10. Issued by the Ministry of Internal Affairs and Communications (MIC) and the Ministry of Economy, Trade and Industry (METI) in August 2020.
11. Issued by the Pharmaceutical Safety and Environmental Health Bureau in the MHLW as of December 24, 2021 (Notice No. 1224-1).
12. Likely to include non-SaMD (i.e., a non-medical device) which is advertised misleadingly into thinking that it is to be used for diagnosis, treatment, or prevention of diseases. 
13. Articles 85(v) and 90(ii) (penalty against employer/principal–a fine of not more than 2 million yen) of the PMD Act.
14. Recent amendment to the APPI enacted in 2020 took effective as of April 1, 2022.
15. Exceptions or exemptions to be applied are mostly omitted in this guide.
16. Articles 17 to 21 of the APPI.
17. Articles 22 to 25 of the APPI.
18. Article 27 of the APPI.
19. Transfer to a third party located in a foreign jurisdiction covered by the adequacy decision is excluded from the more stringent regulations.
20. Article 28 of the APPI.
21. Articles 29, 30 and 33(5) of the APPI.
22. Articles 20(2), 26(1), and 27(2) of the APPI, and Article 7(i) of the Ordinance for Enforcement of the APPI.
23. Articles 32 to 39 of the APPI.
24. Article 26 of the APPI.
25. Articles 41 to 46 of the APPI.
26. Article 31 of the APPI.
27. Article 166 of the APPI.

K&L Gates is a fully integrated global law firm with lawyers located across five continents. The firm represents leading multinational corporations, growth and middle-market companies, capital markets participants and entrepreneurs in every major industry group as well as public sector entities, educational institutions, philanthropic organizations and individuals.