Functionality of software in countries with different legal requirements


Hello all

I have a question about using one piece of software across several countries which have different legal requirements. I will try to explain...


You have a piece of software than is sold globally and can analyse a wide range of medical data. This software is core to you medical device so cannot itself be changed.

Your medical device analyses a sample and has the potential to generate a huge amount of data. You as the developer can decide what parts of this data to report to a clinician. Some countries have clear legal requirements on what data can and cannot be reported.

Is it acceptable for the device & software to still analyse the samples for this restricted information and simply not report it, or should the software not perform that analysis so the data is not available in the software at all?


I can't find anything online that gives me a clear answer on this so would appreciate your help.



Involved In Discussions
Unfortunately, this is going to be based on a case by case basis. In general, simply not reporting it should be sufficient but that is not necessarily true in every country.

For example, if your device has Protected Health Information (PHI), per HIPAA or GDPR regulations, even if you don't report data, you have to keep store it with a certain level of encryption regardless where you are.

Another example would be reporting ID/AST results for a IVD test. Certain drugs are not allowed in certain countries. However, even if you analyze data for a unapproved drug, if you never report the result, that should be fine.

Another non-medical device example would be Apple's Airtags. Airtags ping nearby iphones so its location can be found online. Airtags are allowed in some countries but not in others. Apple has the same firmware on all the Airtags but the Iphone iOS doesn't respond to the Airtag if the phone determines that it is in a restricted area.
Top Bottom