Industry focus: Legal considerations for medical technology businesses

17 January 2020

Advances in computing technology have paved the way for significant changes within the medical technology sector. Medtech businesses are now developing medical devices and technologies that are no longer limited to being the traditional aid for a physician, and now include enhanced and more responsive functionalities which allow them to have a more involved role in health and patient care.

Such growth in the industry should come with a greater proactivity and understanding of the legal frameworks and considerations which underpin it. The following provides a summary of the key legal considerations which should be taken into account by medtech businesses.


Health information is regulated as ‘sensitive information’ under the Privacy Act 1988 (Cth) (Privacy Act) and accordingly attracts more onerous obligations. For example, organisations generally require consent from individuals before collecting any health information from them. These obligations generally apply to organisations with an annual turnover of $3 million, or if they provide health services.

Medtech businesses, even if outside the scope of the Privacy Act, or not collecting health information should still be aware of these privacy considerations, given that the targeted consumer base of this technology will most often be health service providers that are required to comply with these privacy obligations.

Privacy considerations become even more important in light of the Government’s announcement of a tougher penalty and enforcement regime under the Privacy Act. Proposed changes to the regime include:

  • An increase of penalties for serious or repeated breaches of the Privacy Act from the current maximum of $2.1 million, to the greater of, $10 million, three times the value of any benefit obtained through the misuse of the information, or 10% of a company’s annual domestic turnover;
  • Broadened powers for the Office of the Australian Information Commissioner (OAIC) as the key privacy regulator to issue infringement notice penalties of up to $63,000 for organisations and $12,600 for individuals;
  • Expansion of options for the OAIC to address breaches through third party reviews, and/or by publishing prominent notices about specific breaches and ensure that individuals directly affected by the breaches would be advised; and
  • Introduction of specific rules to protect personal information of children and other vulnerable groups.

As device connectivity and data collecting capabilities increases, the collection and management of personal information has, and will continue to be subject to intense scrutiny by the public and the Australian Government. It is therefore crucial for medtech businesses to understand their privacy obligations and comply, or ensure that their medical technologies are capable of compliance with the Privacy Act.


In July 2019, the key regulator of medical devices in Australia, the Therapeutic Goods Administration (TGA) published and implemented cybersecurity guidance to apply to all medical devices, including Software as a Medical Device (SaMDs) which incorporates components that may be vulnerable to cyber-based threats. In the guidance, the TGA clarified the responsibilities of manufacturers and sponsors of such devices to ensure the cyber security safety and quality of the devices. This includes undertaking early assessments to identify potential cyber risks and mitigating the risks with each function of the device during the design and development of the devices, and continual risk monitoring and management of the devices post-market.

This guidance applies within the existing regulatory framework for medical devices. Medtech businesses should therefore familiarise themselves with the relevant legislative and regulatory requirements referenced within it in order to ensure full compliance with the existing laws.

Proposed SaMD Reforms

SaMDs have become increasingly sophisticated and many of which are proposed to be used as standalone medical devices, capable of diagnosing and treating diseases without much input from clinicians.

The TGA has called for reforms to the regulatory framework for medical devices in order to adequately address, and minimise, health and safety risks associated with SaMDs. These proposed changes include:

  • Changing the risk classification rules of SaMDs: Presently, all SaMDs are classified as Class I (representing the lowest risk category for medical devices) as the rules provide for limited risk assessment that do not take the unique risk profiles of SaMDs into consideration. The TGA has proposed that the rules be modified to more accurately determine the risk profiles of SaMDs and impose the necessary compliance requirements where such devices pose a higher risk of harm;
  • Requiring all SaMDs to be included in the Australian Register of Therapeutic Goods (ARTG): Presently, SaMDs developed overseas and made available on app stores for users in Australia to download are capable of exploiting an existing exemption within the regulatory framework and circumvent the requirement to be included in the ARTG. The TGA has accordingly proposed that for amendments to exclude SaMDs from this exemption and require their inclusion on the ARTG for better visibility and accountability; and
  • Amending the ‘essential principles’ to expressly refer to software: Regulatory requirements for safety and performance of medical devices, also known as ‘essential principles’, currently do not contain any references to software which makes it difficult for the TGA, and SaMD manufacturers and sponsors to determine the relevant compliance obligations for SaMDs. The TGA has proposed that the principles be amended to specify SaMD requirements, most of which are intended to reflect good software development and security.

In light of the existing gap in SaMD regulation, reforms to Australia’s medical device regulatory framework are most likely inevitable, and will likely reflect the changes proposed above. Medtech businesses should accordingly consider these proposed reforms and how they may affect their SaMDs in anticipation of these changes.

Product Liability and Consumer Law

Product liability has always been a live issue for medical device manufacturers and suppliers. However, the inclusion of digital features and capabilities, such as software, data sharing and remote access, is likely to introduce new vulnerabilities, and accordingly heightened product liability risks.

Where the medical devices and technology are available for direct consumer purchase, the Australian Consumer Law (ACL) and its associated protections will apply.

Such devices are required to meet the standards of the consumer guarantees set out in the ACL. One such guarantee requires that goods are of acceptable quality, including by being fit for purpose, free from defects, safe, and durable. As increasingly sophisticated features become a part of these devices, they may introduce new ways in which the devices can fail.

Similarly, medtech businesses must avoid making representations that are likely to mislead or deceive others about their products as such representations will run afoul of the ACL. For example, representing a medical device as capable of diagnosing diseases, or claims regarding the accuracy of the device’s functionalities are potentially problematic if they create an overall impression about the devices that is false or inaccurate.

Defaults in medical devices and technology can also give rise to further liabilities under the common law of negligence and associated state and territory-based civil liability laws. Medical device manufacturers and suppliers can be held liable for damages suffered as a result of defects in the devices where they have failed to meet the requisite standard of care in the manufacturing and supply of the devices.

Intellectual Property

IP can add significant value for businesses, especially those which focus on technological innovation. As such, medtech businesses should seek to better understand and protect their IP value, as they would with any other business asset.

Key IP considerations for medtech businesses include:

  • Understanding the type of IP rights available: Generally, IP protection of medical devices and technologies has come in the form of registered patent rights. However, there are a range of other IP rights relevant to medtech businesses. Software codes underlying SaMDs are capable of protection by copyright. The layout and design of integrated circuits within medical devices, if sufficiently original, may also be protected by circuit layout rights under the Circuit Layouts Act 1989 (Cth). The shape or configuration of the devices could also be protected as registered design rights. Brands, names and marks used to market medical devices and other technologies can also be protected as trade marks;
  • Clarifying ownership of IP created: IP ownership will be an important consideration particularly where the technology is developed as part of a collaborative effort between two or more people. In these instances, the underlying IP can be subject to joint-ownership shared between each developer/inventor, which can severely limit the ability to deal with the IP. These difficulties can be avoided by clear contractual arrangements; and
  • Using written IP agreements to navigate business relationships: Written agreements most applicable to medtech businesses include assignment (where the IP is sold and transferred from the owner to another party), licences (where use of IP is permitted on agreed terms and conditions, but its ownership is retained by the licensor) and non-disclosure agreements (used to protect confidential information and  innovative ideas).

How can as we assist?

The number of legal frameworks and considerations that medtech businesses must navigate is extensive, and can understandably be confusing. HWL Ebsworth’s Intellectual Property, Technology and Health Law teams are experienced in advising businesses within this space on their regulatory requirements, liability risks and intellectual property protection. Please feel free to contact a member of our teams if you would like further advice regarding any legal issues arising in relation to your medtech business.

This article was written by Luke Dale, Partner, Daniel Kiley, Special Counsel and Stephanie Leong, Law Graduate.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us