Digital therapeutics and AI-driven health apps: regulatory and IP considerations from a Colombian legal perspective

Wednesday 3 December 2025

Johann Schomberger
Brigard Urrutia, Bogotá
jschomberger@bu.com.co     

Laura Ángel Jaramillo
Brigard Urrutia, Bogotá
langel@bc.com.co

Álvaro Samuel Arias
Brigard Urrutia, Bogotá
sarias@bu.com.co

Feisar Santiago Castro
Brigard Urrutia, Bogotá
scastro@bu.com.co

Carlos Augusto Latorre
Brigard Urrutia, Bogotá
clatorre@bc.com.co

Context: medical records and data privacy implications

The provision of healthcare services has undergone a profound transformation with the incorporation of digital technologies, expanding modalities of care beyond face-to-face encounters between patients and professionals.

In this context, digital therapies and applications based on artificial intelligence (AI) are establishing themselves as emerging tools for the promotion, prevention, diagnosis and treatment of diseases. However, their implementation must be coordinated with the obligations arising from the management of medical records, an essential document for medical practice and the exercise of the right to health.

Within the Colombian regulatory framework, medical records are defined as the mandatory and chronological record of the patient’s health conditions, medical acts and other procedures performed by the healthcare professionals (HCPs) involved in the medical services performed, subject to confidentiality and secrecy, which can only be disclosed to third parties with the patient’s prior authorisation or in cases provided for by law (Article 34 of Law 23 of 1981 and Article 1 of Resolution 1995 of 1999 issued by the Ministry of Health (MOH)). Due to their nature, medical records must be comprehensive, sequential, available for use when needed, and filled simultaneously and immediately after the service is provided to the patient.

Local constitutional case law reinforces this, recognising the medical record as a private document containing an orderly and detailed account of the patient’s physical and mental data, protected by the fundamental right to privacy (Constitutional Court, Judgment T-158A of 2008). Thus, its processing, access and storage are covered by habeas data guarantees, which are also regulated by Statutory Law 1581 of 2012 on the protection of personal data.

It is the responsibility of HCPs/healthcare organisations (HCOs) to complete and store medical records in accordance with current regulations. For this reason, app developers and data processors must recognise that control over the medical record rests with the authorised HCOs/HCPs, and any access, integration or extraction must respect the provider’s custodial obligations and the patient’s rights.

According to Resolution 1995 of 1999, amended by Resolution 839 of 2017, due to its comprehensive nature, the medical record must contain all services provided, medical observations, dates, and recommendations provided to the patient. Additionally, it must be stored for a minimum period of 15 years from the date of the last medical service.

Law 2015 of 2020 introduced to Colombia the interoperable electronic medical record (HCEI), aiming to ensure secure and efficient availability of user information across HCPs/HCOs.

The HCEI enables the standardised exchange of clinical data through digital platforms, strengthening continuity of care, traceability of medical procedures and interoperability of health information systems. However, this technological evolution poses new challenges in terms of security, confidentiality, interoperability and legal liability, especially with the incorporation of AI systems that can process, analyse or generate clinical information.

In the context of digital therapies and AI applications, medical records take on a central role as a source of data for personalising treatments and automated clinical decision-making. However, the use of this information must strictly comply with the principles established by data privacy regulations. Any automated processing of medical record data must guarantee the protection of sensitive information, the prior, express informed consent of the patient, and the possibility of auditing the algorithms used.

Regulatory considerations

In Colombia there are medical apps registered before INVIMA (the local health authority) that fall into the category of digital therapeutics and health applications as medical devices (MD). The presence of these tools in Colombia shows that the country is making progress in digital health. All of them are software that perform calculations or monitor variables and usually require the oversight of a HCP or a connection to a MD, such as a smartwatch or a test strip. To date (October 2025), there are no INVIMA registrations for applications that autonomously use AI to diagnose or treat; their main function is to record, classify and show data in a useful way. This underscores both the advances achieved and the room for growth to incorporate AI‑based therapies within the Colombian regulatory framework.

Registered applications in Colombia

Atrial fibrillation history feature – Apple Inc.
  • Registration: 2022DM‑0026135 (MD Class IIa).
  • Purpose: This feature for the Apple Watch is aimed at users over 22 who have been diagnosed with atrial fibrillation. The app analyses heart‑rate data to detect arrhythmia episodes and provides a retrospective estimate of the atrial fibrillation (AF) burden (percentage of time spent in AF). The feature does not send irregular‑rhythm notifications and does not replace traditional diagnostic or treatment methods.
ECG App – Huawei
  • Registration: 2022DM‑0025348 (MD Class IIa).
  • Purpose: These apps allow the user to record a single‑lead ECG (similar to lead I). The waveform is automatically classified as sinus rhythm or AF; in some cases they also detect high heart rate. The results do not replace standard diagnostic techniques and are not recommended for users with other arrhythmias.
mySugr Logbook – mySugr GmbH
  • Registration: 2023DM‑0026619 (MD Class IIa).
  • Purpose: A digital diary for people with diabetes. Users can manually enter and synchronise data such as insulin dose, blood glucose levels, carbohydrate intake and physical activity. Its purpose is to support treatment through day‑to‑day data management and optimise therapy by monitoring parameters and offering motivational reminders.
Accu‑Chek SugarView App – Roche Diabetes Care GmbH
  • Registration: 2020DM‑0022641 (MD Class IIa).
  • Purpose This app uses the smartphone camera and an Accu‑Chek Active test strip to estimate the blood‑glucose range semi‑quantitatively. It is aimed at people with non‑insulin‑dependent Type 2 diabetes or prediabetes; an algorithm assigns the result to categories (‘low’, ‘normal’, ‘high’, etc.) and, based on the range, suggests simple actions such as exercise or food choices.
Rekovelle® Dose Calculator – Ferring Pharmaceuticals A/S
  • Registration: 2019DM‑0019206 (MD Class I).
  • Purpose: A mobile app for use exclusively by HCPs. It calculates the individualised daily dose of Rekovelle® (follitropin delta), a fertility drug. The app uses patient weight and anti‑Müllerian hormone (AMH) values to recommend the first‑cycle dose and subsequent cycle doses.

The challenge of this kind of AI-MD lies in the need to prove their effectiveness with evidence. Many are developed by start‑ups that offer innovative solutions but still lack technical, analytical and/or clinical validation, and whose algorithms require more training to reach predictable levels of performance. Nonetheless, Colombia’s medical device registration system relies on the recognition of reference health authorities from other countries: once a clinical AI software has been approved by entities such as the FDA in the United States or the European Union, it can be homologated more easily in Colombia. Without that approval, registration is impossible. Until an AI software obtains a medical device registration in Colombia, it may not claim among its uses:

  • the diagnosis, prevention, monitoring, treatment or alleviation of disease;
  • investigation, replacement or support of physiological processes;
  • diagnosis of pregnancy and control of conception; or
  • care during pregnancy, childbirth or postpartum, including newborn care.

IP considerations

Digital therapeutics and AI-driven health apps have multiple components, which may be protected by the different IP protection systems. Which type of IP protection should be sought and secured depends on a case-to-case basis.

Can digital therapeutics and AI-driven health apps attain patent protection?

Colombia’s patent regime includes protection for inventions whether of product or procedure, in all fields of technology, if they are new, have inventive level (beyond state of the art) and are capable of industrial application. However, the patent law also establishes within the list of non-patentable matters, ‘computer programs or software, as such’.

In principle, there is a prohibition to patent software ‘as such’. However, ‘computer-implemented patents’ are slowly being allowed if the invention (1) falls into one of the following categories: proceeding, machine, product or composition; and (2) does not fall into another legal exception. Colombia is still far from recognising patent protection for all software (or applications).

The advantages of obtaining patent protection include protection over the claimed functionalities and a shift in the burden of proof, presuming all products obtained via the patent proceeding are created using the patent, unless proven otherwise, which can be to be very convenient in the context of patent litigation. Therefore, patent protection, if possible, under the specifications of the case, is the ideal IP protection.

As patent protection for software is still an exception, software is generally protected via copyright. This means that the registration is not requirement, but a recommended formality to facilitate litigation, but also that the protection lies over the ‘literal’ code and not over the functionalities performed.

What sort of protection is available for digital therapeutics and AI-driven health apps entirely created by AI mechanisms?

Colombia’s copyright law establishes that copyright are those rights granted to authors for the adequate and effective protection of the works created through their ingenuity. Further, it defines ‘author’ as the physical person who created or developed the work. This leaves very little room to any discussion regarding whether AI creations, including software entirely written by AI mechanisms, shall have copyright protection. Thus, any digital therapeutics and AI-driven health apps created exclusively by AI mechanisms will not have copyright protection.

Hence, the only alternative would be to comply with requirements of computer-implemented patents as explained before.

Digital therapeutics and AI-driven health apps created by a human but driven by AI are protected via copyright

Digital therapeutics and AI-driven health apps created or developed using AI mechanisms, where a human input is majorly used would belong – as copyright subject matter – to the person or group of people who in fact intervened in the creation of the same. Applicable law defines by work all original intellectual creation of an artistic, scientific or literary nature, which is capable of being disclosed or reproduced in any way. The software should be protected comprising all its elements, namely source code, executable code and user interface (texts, sounds and images, which can be fixed or animated and can be interconnected by interfaces, whose structure and access is controlled by navigation software, resulting in a novel, lightweight, useful and easily accessible product).

The registration of copyright before the Copyrights Office is available and recommended to trigger a presumption that the recorded person or enterprise is the owner of the exploitation rights. However, registration is not mandatory to have copyright protection. Protection is automatic as of the creation of the software.

UI of digital therapeutics and AI-driven health apps may be protected via industrial designs

Colombian law defines industrial designs as the appearance of a product that results from any meeting of lines, or combination of colours, or from any two-dimensional or three-dimensional external shape, which rights are granted via the industrial design registry.

Hence, the subject matter protected is exclusively the special or visual appearance; protection falls on non-technical aspects (not on its functionalities), but the aspects of its appearance that are protectable must necessarily be incorporated in a utility product. This mechanism is useful to protect the appearance of the user interface.

Trade mark and trade dress protections associated to digital therapeutics and AI-driven health apps should also be protected/registered independently

Finally, the trade mark used to identify the app must be registered before the Trademark Office. Colombia has no common law rights deriving from the use of a trade mark; therefore, it is key to conducts an availability search and start the registration proceeding.

Further, Colombian legal provisions do not specifically refer to protection as trade dress, but it is recognised by our legal precedents and courts as a notion obtained from the common-law tradition countries. As a result of not being specifically governed by the law, trade dresses are commonly claimed via unfair competition actions and specifically the unfair act of confusion.

International Bar Association 2025 © Privacy policy Terms & conditions Cookie Settings Harassment policy

International Bar Association is incorporated as a Not-for-Profit Corporation under the laws of the State of New York in the United States of America and is registered with the Department of State of the State of New York with registration number 071114000655 - and the liability of its members is limited. Its registered address in New York is c/o Capitol Services Inc, 1218 Central Avenue, Suite 100, Albany, New York 12205.

The London office of International Bar Association is registered in England and Wales as a branch with registration number FC028342.