telehealth and ISO 13131

Navigating ISO 13131: challenges for MedTech manufacturers?

ISO standard 13131 provides a framework for managing telehealth services as part of the medical device environment. It combines the baselines of standards for risk management and medical devices with regulatory requirements derived from the AI (Artificial Intelligence) Act, Data Act and GDPR.

Laws / regulations / guidelines:

  • ISO 13131:2021
  • ISO 13485:2016
  • ISO 14971:2019
  • ISO 31000:2018
  • ISO 27001:2022
  • ISO 27002:2022
  • GDPR – Regulation (EU) 2016/679
  • AI Act – not yet officialised
  • Data Act – Regulation (EU) 2023/2854

Unveiling ISO 13131

The current ISO standard 13131 was published already in 2021. For sure it did not find its way into many hands throughout the medical device industry as it is “just” a guideline for quality planning of telehealth services. Furthermore, its predecessor was not an ISO standard, but rather an ISO/TS, which was not of great interest at the time (2014) as it imposed requirements that nobody was asking for.

So, why should we look at it today? The answer is easy, data is considered highly valuable, and every company likes to have as much as possible. Therefore, every medical device gets connected to the internet in order to report data about real world use and behaviour to the provider of the device or software. Again, why would ISO 13131:2021 help me to rule the market with my medical devices? Let us have a brief look into the standard while comparing with basic requirements of related standards and regulations.

Telehealth in the spotlight: A data-driven era

Why are telehealth services of interest? In the last 5 years, laws and regulations were rising all around the world while data has been named the new oil. Clearly, data is becoming the main focus for most companies. However, the new laws and regulations put a sense of ethical and fair use in the processing of personal data. That is where it gets interesting, especially in the medical device industry, where the processed data is related to a patient and/or operator. While patient data is sensitive due to medical insights in most cases, operator data is data belonging to subjects that are prone to an imbalance of power regarding their employer. This means both kinds bear a certain kind of risk for the data subjects which must be respected. This is especially of interest where such data is processed in a different location than it is collected. This is where telehealth comes into play, which is often not claimed to be part of the medical purpose itself and therefore not under suitable quality control.

Understanding ISO 13131: Guiding telehealth services and defining the scope

First, the ISO 13131 is still a guidance to build a framework for managing several needs for your telehealth services. So, there is no harsh requirement by the standard itself, you do not need to spend money on certifications, but it can be used to effectively implement requirements from regulations which may affect your company if not properly respected.

Second, what is meant by telehealth service and why is that applicable to my company? Telehealth services are described as healthcare activities supported at a distance using information and communication technologies. It is important to know that this concept is also applicable if the subject of care is not directly part of the activities. This is the case for example for online exchange platforms for physicians to discuss certain cases and how to treat the disease in scope. Furthermore, it involves activities recommended by a health professional to a potential patient for preventative advice and healthcare process management. A typical scenario under this criterion could be the patient asking a voice-supported smart home system which medication they need to take, while a physician or healthcare professional has prepared the treatment plan. Last but not least, real-time and delayed interactions between actors (caregiver, patient, HCPs, supporting organizations, etc.) are also in scope of the standard. Examples in this regard are movement tracking applications via smartphone or other connected equipment.

Navigating ISO 13131: Structure and content

How is the guidance built on the highest level? The ISO 13131 comes with eight chapters describing the content and three appendices for implementation and understanding.  Each of the chapters starts with a brief overview of the content followed by a collection of contained quality characteristics. Further, the quality objectives are explained in more detail with the quality procedures applied to achieve them. This structure makes it easier to understand the content and to map it to applied quality management systems.

Integration with quality management systems: A seamless process

How does 13131 integrate into existing and enforced quality management systems like ISO 9001 or 13485? All the quality systems are built upon the Demming cycle of Plan, Do, Check, Act and so this standard does. That makes it easy to plug additional parts into your existing system in the respective phase. Of course, details and interfaces to existing processes shall be analyzed and respected as nobody likes redundant efforts. Next to the system view and how the pieces fit together, the guideline relies on the risk-based approach which makes any mitigating actions fully reliable to already existing processes. The guideline itself is agnostic of the risk management method applied and is for sure fully compatible with ISO 14971 and 31000 needs.

ISO 13131 and ISO 13485: Aligning resources for telehealth

With more focus on the medical device environment according to ISO 13485, we will find other parts of the 13131 guide which map well to quality management systems. Especially, where the subject of interest is in the management of resources required to sustainably deliver telehealth services. The chapters 6.3 points a) to c) of ISO 13485 are in line with the guide chapters 12 to 14 about facility management, technology management and information management which has a certain overlap with the ISO 13485 chapter 6.2 (human resources) as well as chapter 7.5 (service delivery). A difference in the ISO 13131 is chapter 7, called “Financial Management”. A topic which does not exist explicitly in ISO 13485. The overall structure of the 13131 allows a smooth integration into existing quality management systems according to ISO 13485 to consider for telehealth services.

Looking ahead: Data protection and ISO 13131

We will go on analyzing ISO 13131 in the next article with regards to data protection and how it provides a good basis for basic requirements to be fulfilled.

If you have any questions, do not hesitate to contact our expert Roland Schnitter directly: roland.schnitter@eumediq.eu