Telemedicine in the Czech Republic: legal certainty in the digital age

Telemedicine, i.e. the provision of health services remotely using modern technologies, is changing the face of Czech healthcare. Its rapid development offers undeniable advantages: it improves access to care, increases efficiency and can lead to better treatment outcomes. Patients appreciate easier access to doctors without leaving the comfort of their homes, and doctors gain new tools for monitoring and communication.

However, with these innovations come a number of legal challenges. Protecting the privacy of sensitive medical data and the risk of cyber-attacks are key. Providers need a clear legal framework so they can innovate without fear of penalties and litigation. Uncertainties in this area hinder the full potential of telemedicine and can lead to uncertainty that stands in the way of the digital transformation of healthcare.

Author of the article: ​ARROWS (Mgr. Dita Zbožínková, LL.M., office@arws.cz, +420 245 007 740)

What is telemedicine and how does it differ from wellness apps?

Telemedicine covers a wide range of services: from video consultations with a doctor, to remote monitoring of health data, to image transmission for specialists. Crucially, telemedicine enables even a partial decision or performance within the health services provided, which distinguishes it from the mere transmission of information.

Main forms of telemedicine:

• Remote consultation: The most familiar form, involving telephone or video consultations with a physician that may lead to a recommendation for a procedure, prescription of medication (ePrescription), or planning for follow-up care.
• Telemonitoring: regular remote monitoring of health data such as blood pressure, glucose levels, heart rate or sleep patterns. This data is transmitted to providers for long-term monitoring and early intervention for chronic diseases.
• Data/image transfer (Store-and-Forward): allows sharing of imaging documentation (X-rays, dermatology photos) and other clinical data to specialists for assessment outside of real time.
• Inter-professional consultation (inter-provider): doctors and other health professionals consult and coordinate patient care remotely, improving the multidisciplinary approach.

Telemedicine vs. wellness apps

The key difference lies in intent and purpose. If the app is just for supporting information (e.g. step tracking, general lifestyle advice, mood recording), it is about wellness. But if it collects, processes or analyzes data for the purpose of diagnosis, treatment or prevention, and enables a medical decision or procedure, it falls under the stricter regulation of telemedicine. Misclassification can have serious legal consequences, including penalties for non-compliance with medical device regulation.

Telemedicine brings a number of advantages:

It significantly increases access to care, especially for people in remote areas or with limited mobility, and eliminates commuting time. It improves the efficiency of doctors and the whole system, which can lead to reduced waiting times and financial savings. Ultimately, it leads to better treatment outcomes due to the possibility of continuous monitoring and rapid response. However, these benefits can only be realised with proper legal treatment of all aspects of the provision of telemedicine services.

Legal pillars of telemedicine in the Czech Republic

Czech legislation is dynamically adapting to the development of telemedicine, but the pace of technological change is often faster than legislative processes. Amendment to Act No 372/2011 Coll., on Health Services, redefines telemedicine and sets out the basic conditions for its provision. The key point is that telemedicine can be provided outside a healthcare facility, but subject to strict compliance with technical requirements on the quality and safety of communication. It is important to note that telemedicine is not a separate type of health service, but rather a form of its provision. This means that it can only be provided by a health service provider with a valid authorisation for that type of care.

The amendment to the Act (No. 240/2024 Coll., effective as of 1 October 2024) is accompanied by implementing Decree No. 30/2025 Coll., which regulates the quality and security of communication and encryption of the communication channel, the method of proving the identity of the communicating parties and the method of expressing and recording the patient's consent or non-consent to the recording of the communication between the provider and the patient

One of the most common legal ambiguities is the assessment of the software used in telemedicine. Software that enables even a partial decision or performance (e.g. diagnosis, treatment, monitoring) in healthcare is classified as a medical device. Such software is then subject to the strict European Regulation (EU) 2017/745 (MDR), which is implemented by the Czech Health Services Act.

Manufacturers of such software must meet demanding requirements for safety, quality, documentation (including instructions for use in the Czech language), clinical evaluation and post-marketing surveillance. They must be registered in the European database EUDAMED or in the national Register of Medical Devices (RZPRO) maintained by the State Institute for Drug Control (SÚKL). Many developers of telemedicine applications or platforms may not be aware of these demanding requirements, which can lead to unforeseen certification costs and, in extreme cases, legal liability for non-compliance.

Key legal challenges for providers

The provision of telemedicine services involves several key legal areas that need to be controlled.

1. Data protection and GDPR

Healthcare data sensitivity: why is patient data a goldmine for cyber attacks?

The healthcare industry deals with a huge amount of special categories of personal data, which include sensitive information about patients' health, diagnoses, treatment and medical history. This data is extremely valuable on the black market and becomes an attractive target for cyber-attacks, including ransomware, phishing attacks and unauthorized access. Leaks of such data pose a significant risk to patient privacy and can irreversibly damage the credibility of providers.

Provider obligations: how to ensure technical and organisational measures, data minimisation and pseudonymisation

Providers must put in place robust technical and organisational measures to protect personal data in accordance with the GDPR. Key measures include:

• Communication encryption: all transmitted data must be encrypted.
• Identity assurance: reliable verification of the identity of the communicating parties (patient and provider).
• Data minimisation: process only the data necessary for the purpose.
• Pseudonymization of data: Replacing directly identifiable data with a code to reduce the risk of re-identification.
• Internal guidelines and staff training: Clearly documented processes for handling data and regular training for all staff.
• Clear information for patients: transparent and clear information for patients on how their data is processed.

2. Informed consent of the patient

Informed consent is the cornerstone of the relationship with the patient, and in telemedicine its role is even more essential.

Specifics of informed consent in telemedicine: what it must contain and how to obtain it correctly

In telemedicine, clarity and clarity of information is key to ensure that the patient fully understands the nature of digital care. Consent should be easy to understand and should include:

• The purpose and nature of the telemedicine service.
• Anticipated benefits and possible risks/consequences (e.g. limitations of physical examination).
• Alternative care options (e.g. attendance).
• Patient rights, including the right to refuse care or withdraw consent.
• Detailed information on data protection.
• A method of verifying the identity of the patient and the provider.

Recording communication: how to ensure compliance and patient trust

Recording of telemedicine communication (e.g. video calls) is only possible with the patient's explicit consent. This consent must be recorded in the medical record. Transparency and the ability to refuse recording are key to building patient trust.

3. Liability insurance: essential protection for every provider

The Health Services Act obliges providers to take out an insurance contract for liability for damage caused during the provision of health services. Given the new risks of telemedicine (e.g., errors in remote diagnosis, cyber-attacks leading to data leakage, software errors), adequate insurance is essential to protect against the financial impact of potential litigation and compensation. It is important to verify that existing insurance covers the specifics of telemedicine.

4. Cross-border telemedicine

The development of telemedicine also raises the issue of cross-border provision of services within the European Union. The EU is actively promoting the digitisation of healthcare and is working towards the creation of a European Health Data Space (EHDS) to facilitate the exchange of data across Member States and promote digital health services. The Czech Republic is actively involved in European interoperability projects.

When providing services across borders, it is crucial to address the complex issues of jurisdiction, applicable law (which country's law applies) and mutual recognition of health professionals' qualifications. The provider must carefully analyse the laws of both the country from which the service is provided and the country where the patient is located to avoid inadvertent violations.

Risks and penalties: what are the risks of non-compliance?

Non-compliance with telemedicine legislation can have serious consequences for healthcare providers, threatening their business and reputation.

Administrative offences and fines

The Health Services Act allows the competent administrative authority (regional authority, Prague City Hall) to suspend or even revoke authorization to provide health services. The reasons include, in particular, serious or repeated breaches of the obligations laid down for the provision of health services or failure to keep proper medical records. Withdrawal of the authorisation means the de facto end of the provider's activity.

Financial penalties for breach of GDPR

Violations of the GDPR, especially in the area of sensitive healthcare data, carry the risk of very high financial penalties. The penalties are "two-tiered": up to €10 million or 2% of total annual worldwide turnover for minor breaches, and up to €20 million or 4% of total annual worldwide turnover for more serious breaches. The OCCP actively monitors compliance with the GDPR and imposes fines that are not just a theoretical threat.

Who can help you with this issue?

Conclusion: the key to safe telemedicine

Telemedicine is the undisputed future of healthcare, offering huge potential for improving accessibility and efficiency of services. However, in order for this potential to be fully and safely realised, it is essential to carefully navigate the complex and ever-evolving legal environment.

It is crucial for health service providers to focus on these areas:

• Consistently comply with legislation: In particular, the Health Services Act and new implementing decrees that detail technical requirements, communication encryption and identity verification.
• Protect personal data: implement technical and organizational measures in accordance with GDPR, minimize data collection and ensure data pseudonymization. Risk of heavy fines from the OCCP.
• Obtain informed consent: Ensure that patients always give clear and understandable informed consent for telemedicine care and recording of communications.
• Comply with the "lege artis" standard: carefully assess whether telemedicine is adequate and safe in the case and have adequate liability insurance in place.
• Address software regulation: make sure your software is not subject to medical device regulation (MDR) and meet all related certification and documentation requirements.

Failure to comply with these rules can lead to serious penalties, including revocation of the authorisation to provide health services, heavy financial penalties and the obligation to compensate the patient. To ensure legal certainty and minimize risks, it is essential to have an experienced legal partner by your side.

Don't want to deal with this problem yourself? More than 2,000 clients trust us, and we have been named Law Firm of the Year 2024. Take a look HERE at our references.