On June 23, 2022, the German Federal Office for Information Security (“Office”) published technical guidelines on security requirements for healthcare apps, including mobile apps, web apps, and background systems.  Although the technical guidelines are aimed at healthcare app developers, they contain useful guidance for developers of any app that processes or stores sensitive data.

The guidelines set out a number of security levels and a security risk assessment.  The risk assessment takes into account the following aspects: (1) the apps’ purpose; (2) its architecture; (3) the source code; (4) third party software integrations; (5) cryptographic implementation; (6) authentication mechanisms; (7) data storage and protection; (8) auditing of paid resources; (9) network communication; (10) platform-specific interactions; and (11) resilience.  The guidelines also include specific security requirements for digital healthcare apps with biometric authentication mechanisms.

The guidelines are based on state-of-the-art security techniques used in the healthcare sector and the Office’s findings in several of its projects.  They also take into account feedback received from industry stakeholders, the German Federal Institute for Drugs and Medical Devices, and the German Federal Commissioner for Data Protection and Freedom of Information.

The Office offers a certification to healthcare apps that comply with the guidelines.

On April 6, 2022, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) published a request for information (“RFI”) seeking public comment on implementing certain provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, indicating that a rulemaking or further guidance related to the HITECH Act may be forthcoming.  Specifically, the RFI seeks input as to how covered entities and business associates are voluntarily implementing recognized security practices.  OCR will consider the implementation of such practices when making certain determinations relating to the resolution of potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.  The RFI also seeks input on the process for distributing to harmed individuals a percentage of civil monetary penalties (“CMPs”) or monetary settlements collected pursuant to the HITECH Act.  Although HIPAA does not provide a private right of action, the potential for sharing in monetary penalties or settlements could incentivize individuals to report potential HIPAA violations to OCR.

Continue Reading OCR Seeks Comments Related to Recognized Security Practices and Distribution of Civil Monetary Penalties under the HITECH Act

On March 2, 2022, the Office of Inspector General (“OIG”) for the Department of Health and Human Services (“HHS”) posted an advisory opinion concluding that a digital program for the treatment of substance use disorders would raise minimal fraud and abuse risk.  OIG advisory opinions address the application of certain fraud and abuse enforcement authorities to the requesting party’s existing or proposed business arrangements.

Advisory Opinion No. 22-04 is notable given OIG’s consideration of the unique aspects of the requestor’s digital treatment program, which provides digital tools and contingency management incentives (“CM Incentives”), including cash equivalents, in order to motivate behavioral health changes in individuals who suffer from substance use disorders.  As digital health companies consider unique offerings to improve health outcomes and reduce costs, this advisory opinion provides some guidance on potential guardrails for designing digital health offerings.  The advisory opinion also follows the recent release of a Healthcare Common Procedure Coding System (“HCPCS”) code for qualifying digital therapeutics by the Centers for Medicare and Medicaid Services (“CMS”).  These developments will continue to support digital health companies, as well as drug or device manufacturers considering digital health offerings that complement their products (e.g., drug adherence apps and companion apps to smart devices), in navigating the complex and evolving digital health market.

Background on the Program

OIG issued the opinion in response to a request submitted on behalf of a digital health company (“Requester”).  Requester contracts with a variety of entities, including health plans, addiction treatment providers, employee assistance programs, and other institutions (“Customers”), to provide substance abuse treatment services and CM Incentives to individuals through smartphone and smart debit card technology.  Requester certified that the program is evidence-based, protocol-driven, and consistent with published principles issued by the National Institute on Drug Abuse.

Program Enrollment and Operation

Individuals may be referred to the program by a Customer or may self-refer.  An enrollment specialist, under the supervision of a licensed clinical supervisor, determines what type of services are appropriate for individuals enrolled in the program (each a “Member”).  For example, Members might receive the following services from the Requestor via smartphone:

  • Automated appointment reminders and attendance verification;
  • Medication reminders and self-administration verification;
  • Saliva drug testing, breathalyzer alcohol testing, Smokerlyzer CO testing for tobacco, and saliva cotinine testing for e-cigarettes, all verified via self-video;
  • Self-guided cognitive behavioral therapy (“CBT”) modules;
  • Various surveys and assessments;
  • Certified recovery coaching;
  • Community reinforcement and family training; and
  • Daily support groups.

Requestor is not a provider or supplier under any Federal health care program.  However, Members may or may not receive federally reimbursable services (e.g., a federally-reimbursable counseling session) from another supplier or provider, including from a Customer.

Services are provided and CM Incentives are distributed according to an evidence-based, automated algorithm over a 12-month period, which is divided into three phases of approximately four months each.  During the initial  “anchor” phase, the Member undergoes frequent substance testing and receives active CM Incentives for achieving specified behavioral health goals.  During the second “build phase,” substance testing frequency and CM Incentives decrease.  Finally, the “maintenance phase” reinforces behavioral health goals through non-incentive reinforcements.

Requestor provides CM Incentives through a smart debit card.  Members are eligible to receive CM Incentives based on (1) verified substance tests consistent with medical expectations (70% of potential CM Incentives); (2) treatment attendance (20%); and (3) completion of self-guided CBT modules and other features, including follow-up self-assessments (10%).  CM Incentives are capped at $200 per month, with an annual maximum of $599.00 per Member per year.

Customer Payment for the Program

Requestor contracts with various Customers, and individual Members and their families can also pay for the Program directly.  Requester offers two payment models: a flat monthly fee per eligible, active Member and a pay-for-performance model, under which Requestor is paid upon a Member achieving certain agreed-upon abstinence targets.

CM Incentives are held in reserve until the Member has successfully met specified targets.  When a Member does not engage with the application during a given month, the system designates that Member as “inactive.”  Customers are not billed any fees for inactive Members, and unspent CM Incentive fees are held in reserve until the Member becomes active again.

Legal Analysis

OIG found that two aspects of the program could potentially implicate the Federal anti-kickback statute (“AKS”) and the Beneficiary Inducements CMP.  First, even though Requestor does not bill Federal health care programs, it does collect fees from Customers and provide services that could incentivize a Member to receive a federally billable service (e.g., a federally-reimbursable counseling session).  Additionally, there is at least a theoretical risk that a Customer could pay Requestor’s fees to generate business or reward referrals of federally reimbursable services.  Some of the fees a Customer pays are passed on to Members as CM Incentives, based in part upon utilization of services that could be billable to Federal health care programs by another provider or supplier, including the same Customer.

Nonetheless, OIG determined that the program presents a minimal risk of fraud and abuse for four reasons.

  1. The program is protocol-driven and evidence-based.  Requestor cited reputable sources stating that CM is “highly effective” and “cost-efficient” for the treatment of substance abuse disorders.
  2. The risk of overutilization of federally reimbursable services is low.  According to OIG, the CM Incentives have a “relatively low [monetary] value.”  Additionally, a substantial portion of CM Incentives are not tied to federally payable services, and the Requester itself never bills Federal health care programs for services furnished.
  3. The risk is low that a Customer would pay Requestor’s fees to generate business or reward referrals of federally reimbursable services.  The fees paid by Customers do not vary based on the volume or value of federally reimbursable services rendered by that Customer.  Instead, the program is protocol-driven and set by the Requestor.
  4. Safeguards mitigate the risk of fraud and abuse associated with cash and cash-equivalent remuneration.  Requestor has full control over what services a Member needs and what CM Incentives are attached to such services.  Additionally, the smart debit card cannot be used at bars, liquor stores, casinos, or certain other locations and cannot be used to convert credit to cash.  The Requestor can also monitor use of the smart debit card, allowing recovery coaches and providers to be alerted in the event of a blocked purchase.

On January 25, 2022, Senators Patty Murray and Richard Burr (Chair and Ranking Member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, respectively) released a “discussion draft” of bipartisan legislation—the Prepare for and Respond to Existing Viruses, Emerging New Threats, and Pandemics Act (“PREVENT Pandemics Act”)—which contains notable provisions related to digital health.  This post highlights three items of potential interest for stakeholders in the space.

  1. Future FDA Digital Health Guidance

Section 502 of the discussion draft, titled “Modernizing Clinical Trials,” would require FDA to issue three draft guidances:

  • The appropriate use of digital health tools in clinical trials to help improve recruitment, participation, and data collection. This draft guidance also would include recommendations for “increasing access to, and the use of, [digital health tools] in clinical trials to facilitate the inclusion of diverse and underrepresented populations.”
  • Use of decentralized clinical trials to support the development of drugs and devices, improve trial participant engagement, and advance the use of flexible and novel clinical trial designs. Similar to the above, this FDA draft guidance would also include recommendations on how to encourage diversity among clinical trial participants.
  • Use of seamless, concurrent, and other innovative clinical trial designs to support the expedited development and review of applications for drugs and biological products.

FDA would have to issue all three drafts within one year after date of enactment of the Act.  Notably, if these guidance directives are enacted, FDA also would need to assess how the required guidance documents intersect with existing FDA guidance, such as the December 2021 draft guidance titled Digital Health Technologies for Remote Data Acquisition in Clinical Investigations.

Watch this provision as it moves through the legislative process, as the topics and subtopics of the guidance directive could evolve and impact the content and timing of future FDA guidance relating to digital health technologies.

  1. Advancing Real-World Data and Real-World Evidence (RWD/E)

The last few months have seen increased FDA activity in the RWD/E front, with RWE playing a key role in notable regulatory decisions made by the Agency (see here and here).  Indeed, the Agency issued four new RWD/E guidance documents as part of the 21st Century Cures Act requirements, and made further RWD/E-related commitments as part of PDUFA VII for fiscal years 2023 through 2027.  The PREVENT Pandemics Act discussion draft makes clear that advancing RWD/E continues to be a topic of interest for Congress as well.  Section 505 of the discussion draft, titled “Facilitating the Use of Real World Evidence,” would require FDA to issue or revise guidance on the use of RWD/E to support regulatory decision making, including with respect to RWD/E from products authorized for emergency use (i.e., under an EUA pursuant to section 564 of the FDCA).  Not later than one year after enactment, FDA would have to issue or revise guidance that addresses the use of RWD/E to support the approval of a drug application (or clearance or classification of a device).  The guidance also would need to address considerations for the inclusion in such applications or submissions of RWD/E obtained as a result of the use of drugs or devices authorized by an EUA.

Watch for additional attention on advancing use of RWD/E.  In addition to the four recent draft guidances, CDER recently issued a 2022 guidance agenda that includes two new RWD/E draft guidances.

  1. Global Harmonization

Global harmonization continues to be a priority in the digital health space, with U.S., UK, and Canada regulators recently developing joint guiding principles for Good Machine Learning Practices.  Section 502 of the discussion draft requires FDA to continue its work with foreign regulators to facilitate international harmonization of regulation and use of decentralized clinical trials, digital health tools leveraged in clinical trials, and clinical trial designs.

Watch for more focus on the need for global coordination and potentially more joint recommendations from health authorities.  Also watch whether the new FDA Commissioner, Robert Califf, engages with his foreign regulatory counterparts on digital health and RWD/E.

Spurred by the realities of the COVID-19 pandemic, FDA has taken a number of regulatory actions to advance the use of digital health technologies (“DHTs”) in clinical trials.  DHTs provide sponsors with opportunities to capture a broader array of information from study subjects than is typically available through traditional study designs.  This includes information from activities at home, work, school, outdoors, and while sleeping.  DHTs also enable the collection of data from a broader population, such as from those typically unable to report on their own experiences (e.g., infants and persons with cognitive impairments) or unable to travel to a study location.  At the same time, DHTs also present unique challenges.  For example, how do sponsors validate and verify data collected from such DHTs?  How do sponsors ensure the data are reliable?  How do sponsors alleviate disparities in access to DHTs?

On February 9, 2022, FDA held a webinar to provide clarity on a recently released draft guidance, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations (“the Draft DHT Guidance”) published in December 2021.  This blog post outlines five key takeaways from the recent FDA webinar.

Background: FDA’s Draft DHT Guidance

FDA’s Draft DHT Guidance provides recommendations to facilitate the use of DHTs, particularly with respect to clinical trials.  FDA defines DHTs as systems that use computing platforms, connectivity, software, and/or sensors to collect data for healthcare and related uses.  FDA acknowledges that some DHTs qualify as devices under the Federal Food Drug & Cosmetic Act (“FDCA”), meaning they are subject to FDA oversight, but others do not.  Indeed, during the recent FDA webinar, agency staff confirmed that marketing authorization is not necessary in order to use a DHT in a clinical investigation.  Also, the Draft DHT Guidance clarifies that DHTs may include technologies that run on “general-purpose computing platforms”—defined as “commercial off-the-shelf computing platforms, with or without wireless connectivity, that may be handheld or otherwise portable in nature” (e.g., mobile phones, smartwatches, and tablets)—that are not generally regulated as devices.  Examples of DHTs include glucometers, software to measure mental acuity, and combinations of such technologies (e.g., a continuous glucose monitor device with a mobile application serving as the interface and providing analysis and alarm functions).

The Draft DHT Guidance provides helpful and detailed descriptions of the types of information to submit to FDA, as well as several examples of DHTs and how a sponsor might go about selecting a DHT that would be useful for a particular clinical investigation.  For example, the Draft DHT Guidance addresses how data acquired through DHTs can help with the evaluation of study endpoints and specifies information that should be contained in an application (e.g., an IND or IDE) for a clinical investigation in which the sponsor intends to use one or more DHTs, or in a marketing application (e.g., PMA, 510(k), de novo, or HDE) that includes such an investigation.  FDA also explicitly states that some of the considerations may be helpful for interactions with the Agency regarding uses of DHTs beyond acquiring data, such as clinical trial enrichment strategies (e.g., the prospective use of patient characteristics to select a desirable study population).

The Draft DHT Guidance describes how a DHT should be verified, validated, and assessed for usability in order to be deployed in a clinical trial.  Study sponsors also should ensure that any DHT sought to be employed in a clinical study is “fit-for-purpose,” i.e., that “the level of validation associated with the DHT is sufficient to support its use and interpretability” in the context of how it will be used in the clinical study (its “context of use”).  Verification and validation are related concepts that can be used to ensure that a DHT is fit-for-purpose for remote data collection in a clinical investigation.  In this context, “verification” refers to confirmation that the DHT is accurate and precise, and “validation” refers to confirmation that the DHT appropriately assesses the clinical event or characteristic in the proposed participant population.  Usability testing, on the other hand, should identify and address any potential errors or problems trial participants may experience when using the DHT.  During the webinar, FDA staff recognized the potential to conduct DHT validation studies in a variety of environments, including studies in the real world collecting real-world data from participants.

The Promise of DHTs

During the webinar, FDA staff reiterated the promise of DHTs to improve health and health outcomes as well as significantly improve clinical investigations by facilitating innovative, efficient, and/or more pragmatic clinical trial designs.  The presenters highlighted how DHTs provide the opportunity to observe the full patient population, building in diversity and health equity up front.  For example, DHTs can help open clinical investigations to underrepresented patient populations via remote data acquisition and decentralized clinical trials (i.e., where some or all of the trial-related activities occur at a location separate from that of the investigator).  In addition to expanding the reach of the patient pool, this also alleviates the burden on patients of traveling to a trial site during working hours.  FDA cautions, however, that sponsors should consider ways they may need to adapt DHTs to allow for the inclusion of diverse populations (e.g., providing translated versions, ensuring DHTs reliably collect data from healthy participants as well as participants of interest, considering usability and access, etc.).  Additionally, sponsors may need to consider ways to alleviate disparities in access to DHTs (e.g., cost considerations, use of personal DHTs versus trial-provided DHTs, etc.).  For example, a 2021 bill introduced by Rep. Ruiz, titled the DIVERSE Trials Act, would confirm that the free provision of DHTs by drug or device manufacturers to their clinical trial participants would not be considered a violation of certain laws if the use of DHTs would facilitate the diversity of patient populations.

Five Key Takeaways from the FDA Webinar

  1. FDA’s recommendations for verification and validation of the DHT apply regardless of whether the DHT meets the definition of a device under the FDCA. In other words, sponsors need to ensure that all DHTs used in clinical trials—even non-device DHTs—are verified, validated, and assessed for usability.  That being said, FDA staff clarified during the webinar that only DHTs that meet the definition of a device and are intended to be used in a clinical trial are subject to 21 C.F.R. part 812 (regulations related to the use of investigational devices).  When asked during the webinar whether there were advantages of using a device DHT versus a non-device DHT in a clinical trial, FDA staff replied that it depends on the needs of the investigation and the intended use of the product.  For example, if the investigation requires glucose measurements, a review board would likely pause and have questions about the use of a DHT glucometer (typically a medical device) that has not been cleared by FDA’s Center for Devices and Radiological Health (“CDRH”).  FDA staff further confirmed that cleared devices reviewed by CDRH are a “good measure” of data, but that marketing authorization alone is not sufficient to show a DHT is fit-for-use.
  2. Most regulatory requirements for devices, including premarket clearance or approval, do not apply to DHTs intended for use in clinical investigations if the clinical investigation complies with applicable requirements under 21 C.F.R. part 812, but sponsors may have other obligations when they employ DHTs that are devices. For example, if a sponsor undertakes any clinical verification or validation testing of a DHT that qualifies as a device under the FDCA, that testing may itself constitute a clinical investigation subject to applicable investigational device regulations (i.e., 21 C.F.R. parts 50, 56, and/or 812).  Additionally, if a DHT used in an investigation qualifies as a significant risk device under 21 C.F.R. § 812.3(m), the sponsor would be required to submit an IDE to FDA for the same investigation.  During the webinar, FDA staff cautioned that DHTs also intended for use outside of a clinical investigation should be treated just like any other device intended for market, including that Medical Device Reporting obligations under 21 CFR part 803 could be triggered if a device DHT malfunctions or causes a death or serious injury.
  3. FDA encourages external collaboration and recycling to rapidly advance and multiply the use of DHTs. During the webinar, FDA recommended sponsors involve DHT manufacturers, patients, caregivers, regulators, and other stakeholders in validation steps to ensure the product is fit-for-purpose.  FDA also emphasized that sponsors should leverage data that may be available from multiple sources, such as marketing applications or data from the DHT manufacturer, to support their submissions and fit-for-purpose arguments.  FDA presenters also encouraged sponsors to make use of voluntary qualification programs to allow for reliance on DHTs in multiple clinical investigations for different premarket submissions.  For example, although the Draft DHT Guidance recommends that study sponsors ensure that DHTs employed in a particular clinical trial are fit-for-purpose, the Agency notes that the multiple mechanisms exist by which DHTs may be pre-qualified for contexts of use, including qualification as a “Drug/Medical Device Development Tool.”  For DHTs that are outside the scope of the DDT qualification programs but still present a potential benefit for drug development, FDA suggests that sponsors and other stakeholders consider submitting DHT-related proposals to the Innovative Science and Technology Approaches for New Drugs (“ISTAND”) Pilot Program.  In short, one of FDA’s aims appears to be around fostering collaboration and wide use of DHTs.
  4. Novel endpoints driven by new insights that were not previously measurable before DHTs should be developed as in any other instance. When a DHT will simply replicate an existing endpoint, however, a new justification will generally not be expected (although validation of the new method to measure the endpoint should still be provided).  In any event, FDA staff clarified that sponsors may leverage existing data for future clinical trials and need not repeat evidence generation.  FDA staff also noted they look forward to making available examples of digital endpoints as they become public.
  5. Consult FDA early and often. During the webinar, FDA staff repeatedly encouraged sponsors to engage with FDA and early and often when considering using DHTs in a clinical trial.  FDA staff emphasized that the earlier sponsors can obtain feedback, the better.  FDA also recommended sponsors make use of FDA guidance documents and additional mechanisms (such as the voluntary programs described above) to receive clarity on whether a proposed DHT would be appropriate for any particular trial.

FDA staff expressed that they look forward to receiving input on the Draft DHT Guidance to inform their next steps.  Comments regarding the Draft DHT Guidance are due by March 22, 2022.

On January 21, the Federal Trade Commission (“FTC”) announced new resources to help companies determine their obligations under the Health Breach Notification Rule (the “Rule”): the Health Breach Notification Rule: Basics for Business, which provides a quick introduction to the Rule, and Complying with FTC’s Health Breach Notification Rule (“Compliance Guidance”), a more in-depth compliance guidance.  These resources follow the FTC’s September 2021 Policy Statement, which expanded the Rule’s application to the developers of health apps, connected devices, and similar products, and similarly emphasize the FTC’s continued scrutiny of health technology.

Continue Reading FTC Releases New Health Breach Notification Rule Guidance, Targets Health Apps and Connected Devices

As we kick off 2022, several recent developments from FDA suggest that this year could be pivotal for the Agency’s digital health priorities.  From new FDA offices and artificial intelligence guidance, to FDA’s user fee commitments and must-pass legislation in Congress, this post outlines five key issues to watch in 2022 related to FDA and digital health.  For all of these issues, stakeholders should be mindful of areas where digital health can help address some of the health disparities highlighted by the pandemic (e.g., ability to reach more clinical trial participants using wearables and other technologies, use of real-world evidence to better understand treatment effects in underrepresented populations, at-home software and diagnostic solutions).

1.         FDA’s Digital Transformation

Significant work continues within the Agency to advance digital health priorities, including both organizational and regulatory policy changes.

As an organization, FDA continues to evolve in an effort to keep pace with trends in digital health and data analytics.  For example, on September 15, 2021, FDA announced a new Office of Digital Transformation (ODT), which is tasked with advancing FDA’s overarching technology and data modernization efforts.  ODT sits in the FDA Office of the Commissioner and encompasses the Agency’s information technology, data management, and cybersecurity functions.  The formation of ODT follows two years of modernization efforts, including the 2019 Technology Modernization Action Plan and the 2021 Data Modernization Action Plan.  FDA recently named Vid Desai as the Director of ODT, and the Agency’s FY 2022 budget request included funding to support these data modernization efforts, further demonstrating the commitment to these institutional changes.  At the center level, FDA’s Center for Devices and Radiological Health (CDRH) launched the Digital Health Center of Excellence (DHCoE) in 2020 to help coordinate digital health projects at CDRH and enhance coordination with other agency centers.  On the data analytics front, the Real-World Evidence (RWE) Subcommittee composed of CDER and CBER officials continues to advance the use of real-world data/evidence (RWD/E) in agency decision making, and in early January 2022, FDA highlighted proposed changes to CBER’s Office of Biostatistics and Epidemiology aimed at positioning CBER to “advance real-world evidence priorities for biologics,” noting that “harnessing the power of real-world evidence” is a priority for the Agency.

On the regulatory policy front, FDA continues to issue new policies.  For example, on December 22, 2021, CBER, CDER, and CDRH issued a draft guidance on the use of “Digital Health Technologies for Remote Data Acquisition in Clinical Investigations,” which addresses the use of computing platforms, software, and sensors to facilitate remote data acquisition during clinical investigations.  CDRH’s FY 2022 agenda prioritizes other software-related guidance documents, including final guidance on Clinical Decision Support (CDS) Software and draft guidances on risk categorizations for Software as a Medical Device (SaMD) and the content of premarket submissions for SaMD (which FDA published early in FY 2022, on November 4, 2021).  It also is possible that FDA will apply some of the lessons from FDA’s Pre-Cert Pilot Program to develop new approaches for software developers.  Drug sponsors continue to watch what (if anything) FDA will do with the proposed November 2018 PDURS Framework regarding “prescription drug-use-related software.”  In sum, expect an active FDA in 2022.

2.        AI/ML-Based Software Regulation

FDA recognizes the potential for AI/ML-based software to transform healthcare and has outlined several priorities regarding AI/ML-based software as a medical device (AI/ML-based SaMD).  In a January 2021 AI/ML-Based SaMD Action Plan, FDA recognized that adaptive AI/ML-based SaMD raise unique regulatory issues, such as how to manage device modifications after FDA clearance, and how to determine which modifications trigger the need for FDA premarket review.  FDA has proposed a regulatory framework to potentially allow for modifications to algorithms based on real-world, postmarket learning and adaptations while maintaining safety and effectiveness.  The 2021 Action Plan addressed stakeholder feedback on an earlier discussion paper, and promised to update the proposed framework for AI/ML-based SaMD, including through issuance of draft guidance.  CDRH’s FY 2022 agenda included a proposed guidance document for premarket submissions that outlined a change control plan for AI/ML-based SaMD.  To provide greater transparency, CDRH also launched an Artificial Intelligence and Machine Learning (AI/ML)-Enabled Medical Device List.  The list—though not exhaustive—contains publicly available information on AI/ML-enabled devices marketed in the U.S., many of which currently have “locked” algorithms (i.e., algorithms that do not change without human intervention).

On the global stage, FDA, Health Canada, and the United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA) identified 10 guiding principles that can inform the development of Good Machine Learning Practice (GMLP) in an October 2021 guidance titled, “Good Machine Learning Practice for Medical Device Development: Guiding Principles.”  The guiding principles aim to promote safe, effective, and high-quality AI/ML-based medical devices.  For more information on these principles, see our previous post here.  Also, the International Medical Device Regulators Forum (IMDRF) AI Working Group released a draft guidance on September 16, 2021, titled “Machine Learning Enabled Medical Devices – a Subset of Artificial Intelligence: Key Terms and Definitions.” This guidance aims to establish relevant terms and definitions across the total product lifecycle to promote consistency and support global harmonization efforts.  Bottom line, watch for continued emphasis in 2022 on developing the appropriate regulatory framework for AI/ML-based SaMD.

3.        PDUFA & MDUFA Reauthorization in Congress

Digital health priorities are embedded in the Agency’s user fee commitments for fiscal years (FYs) 2023 through 2027.  As background, the Prescription Drug User Fee Act (most recently reauthorized as PDUFA VI) and the Medical Device User Fee Act (most recently reauthorized as MDUFA IV) sunset every five years, unless reauthorized by Congress, and PDUFA VI and MDUFA IV expire on September 30, 2022.  The reauthorization of PDUFA and MDUFA is regarded as “must-pass” legislation in Congress, given the critical nature of user fees to FDA’s activities.

As part of the reauthorization process, FDA has negotiated user fee commitment letters with the relevant regulated industries, taking input from patient and consumer groups along the way.  These commitment letters outline the performance goals agreed to by the Agency for the next five fiscal years, if Congress reauthorizes the associated user fee levels.

In its PDUFA VII commitment letter, published August 23, 2021, FDA committed to expanding the role of digital health technologies in drug development, drug reviews, and decentralized clinical trials.  Between FYs 2023 through 2027, FDA commits to establish a digital health technology framework, identify demonstration projects to inform evaluations of digital health technologies, issue guidance on the use of digital health technologies in clinical trials, and expand its digital health staff and expertise.  FDA also plans to host public meetings to gather input on issues related to use of digital health technologies in regulatory decision making.  As further discussed under Issue 5, FDA also committed to take steps to advance the use of RWD/E.

FDA has yet to publish the MDUFA V commitment letter, but meeting minutes from industry and stakeholder discussions suggest that digital health is a topic of interest.  Industry should watch for the MDUFA V commitment letter and then monitor whether Congress adds additional legislative changes on digital health topics for both drugs and devices as part of the 2022 user fee reauthorization.

4.        Software-Related Policies in Cures 2.0 and the VALID Act

Two key bills being considered in Congress include provisions that would impact FDA’s digital health policies: the VALID Act and Cures 2.0.

First, on June 24, 2021, Sens. Michael Bennet (D-CO) and Richard Burr (R-NC) and Reps. Diana DeGette (D-CO) and Larry Buschon (R-IN) reintroduced a revised version of the Verifying Accurate Leading-edge IVCT Development (VALID) Act, following up on its initial introduction in March 2020.  The VALID Act’s definition of “in vitro clinical test” currently encompasses software used in diagnostic testing.  If enacted, this could result in software used in connection with diagnostic tests being regulated under the new VALID Act framework.  Stakeholders should monitor the legislation and, if it is enacted, how that new framework would intersect with FDA’s other digital health policies, such as those relating to CDS software.

Second, Congressional leaders Diana DeGette (D-DO) and Fred Upton (R-MI) are working on a bipartisan follow-up to the 2016 21st Century Cures Act, deemed “Cures 2.0.”  As discussed in a previous post, Cures 2.0 was introduced in the House on November 17, 2021 and lays out several notable policies related to digital health, RWD/E, and telehealth, among other provisions.

Stakeholders should monitor how these legislative proposals advance in Congress this year, including as potential amendments to the “must-pass” FDA user fee reauthorization discussed in Issue 3.

5.        FDA’s Real-World Evidence (RWE) Program

FDA continues to advance the use of RWD/E as part of the agency’s regulatory decision making.  As background, CDER and CBER published a framework in 2018 for FDA’s RWE Program for human drugs and biological products, as required by section 3022 of the 21st Century Cures Act.  The Cures Act also required FDA to issue guidance documents by December 13, 2021, regarding the circumstances under which drug sponsors may rely on RWD/E and the appropriate standards and methodologies for the collection and analysis of RWD/E.  In line with this requirement, FDA recently published four significant draft guidance documents:

  1. RWD: Assessing Electronic Health Records and Medical Claims Data To Support Regulatory Decision-Making for Drug and Biological Products (September 2021)
  2. Data Standards for Drug and Biological Product Submissions Containing RWD (October 2021)
  3. Real-World Data: Assessing Registries to Support Regulatory Decision-Making for Drug and Biological Products (November 2021)
  4. Considerations for the Use of Real-World Data and Real-World Evidence to Support Regulatory Decision-Making for Drug and Biological Products (December 2021)

CDRH has been active in this space as well, issuing a guidance in 2017 on the use of RWD/E to support regulatory decision-making for medical devices and issuing a report last year outlining examples of RWD/E used in various regulatory decisions involving devices.

As stated in FDA’s PDUFA VII commitment letter (and as previewed under Issue 3), FDA intends to launch a pilot “Advancing Real-World Evidence (RWE) Program” with three key goals: (1) to identify approaches for generating RWE that meet regulatory requirements; (2) to develop agency processes that promote consistent decision-making and shared learning regarding RWE; and (3) to promote awareness of characteristics of RWE that can support regulatory decisions by allowing FDA to discuss study designs considered in the Advancing RWE Program in a public forum.  As part of this Pilot, sponsors can apply to participate in the Advancing RWE Program meetings, which will provide an optional pathway for submitting RWE proposals.  Sponsors who do not participate in the pilot program will still have an opportunity to engage with the Agency on RWE issues through existing channels.  In its PDUFA VII commitment letter, FDA also commits to reporting out information regarding RWE submissions to CDER and CBER by June 2024 and updating RWE guidance (or drafting new guidance) reflecting FDA’s experience with the Pilot Program by December 2026.

Bottom line, watch for additional FDA decisions and actions on the RWD/E front in 2022, including as the Agency prepares for its 2023 PDUFA VII commitments.

On 27 October 2021, the U.S. Food and Drug Administration (“FDA”), Health Canada, and the United Kingdom’s Medicines and Healthcare products Regulatory Agency (“MHRA”) (together the “Regulators”) jointly published 10 guiding principles to inform the development of Good Machine Learning Practice (“GMLP”) for medical devices that use artificial intelligence and machine learning (“AI/ML”).

Purpose

AI and ML have the “potential to transform health care” through their ability to analyse vast amounts of data and learn from real-world use.  However, these technologies also pose unique challenges, given their complexity and the constantly evolving, data-driven nature of their development.  The Regulators formed the guiding principles to “help promote safe, effective, and high-quality medical devices that use . . . AI/ML” and to “cultivate future growth” in this fast paced field.

The Regulators predict that the guiding principles could be used to: (i) adopt good practices from other sectors; (ii) tailor these practices to the medical technology/healthcare sector; and (iii) create new practices specific to the medical technology/healthcare sector.  The Regulators expect these joint principles to inform broader international engagements as well.

The 10 Guiding Principles

The guidance published by the Regulators set out the 10 principles in full; however, in short, they recommend:

  1. Leveraging multi-disciplinary expertise throughout the total product life cycle
  2. Implementing good software engineering and security practices
  3. Ensuring clinical study participants and data sets are representative of the intended patient population
  4. Making training data sets independent of test sets
  5. Basing selected reference datasets upon best available methods
  6. Tailoring the model design to the available data and ensuring it reflects the intended use of the device
  7. Placing focus on the performance of the human-AI team
  8. Ensuring testing demonstrates device performance during clinically relevant conditions
  9. Providing users with clear, essential information
  10. Monitoring deployed models for performance and managing re-training risks

These principles cover the entire life cycle of devices with the aim of ensuring safety and efficacy.  The Regulators have focused on use of appropriate datasets and carrying out sufficient testing before marketing AI/ML-based devices.  These guiding principles set out an ongoing recommendation to manage risks, which will involve monitoring and potentially re-training AI/ML-based devices after deployment.

These principles are merely a starting point.  The Regulators stated, “[a]s the AI/ML medical device field evolves, so too must GMLP best practice and consensus standards.”

Possible Impact & International Considerations

AI and ML are clearly top priorities from a global health regulatory perspective.  The Regulators expect this collaboration to lead to further and broader international collaborative work.  As noted above, the Regulators expect these guidelines to evolve and emphasize the importance of “strong partnerships with [their] international public health partners.”

As one example, the guiding principles identify areas of possible collaboration for the International Medical Device Regulators Forum (“IMDRF”), international standards organizations, and other collaborative bodies.  These areas include “research, creating educational tools and resources, international harmonization, and consensus standards.”

This collaboration is important as it follows on from the individual work each agency has been doing in this space.  For example, MHRA has consulted on the future regulation of medical devices in the UK, including by developing a Work Programme for Software and AI-based Medical Devices (which we previously discussed in our blog post).  FDA has also been active in the AI/ML space, and several more FDA digital health developments are on the horizon for 2022.  Through this international regulatory collaboration it appears the Regulators are working towards a united front through close alignment on best practice and international regimes.  It also shows, for example, that the UK is considering international regimes broadly, rather than simply aligning with the European Union.

In sum, it appears there is an appetite for further international regulatory collaboration, so watch this space for the potential development of more detailed and sector specific international standards and practices for AI/ML-based technologies.

 

On Wednesday, October 6th, Governor Gavin Newsom signed SB 41, the Genetic Information Privacy Act, which expands genetic privacy protections for consumers in California, including those interacting with direct-to-consumer (“DTC”) genetic testing companies.  In a recent Covington Digital Health blog post, our colleagues discussed SB 41 and the growing patchwork of state genetic privacy laws across the United States.  Read the post here.

Last Friday, October 1, the Protecting DNA Privacy Act (HB 833), a new genetic privacy law, went into effect in the state of Florida establishing four new crimes related to the unlawful use of another person’s DNA.  While the criminal penalties in HB 833 are notable, Florida is not alone in its focus on increased genetic privacy protections.  A growing number of states, including Utah, Arizona, and California, have begun developing a net of genetic privacy protections to fill gaps in federal and other state legislation, often focused on the privacy practices of direct-to-consumer (“DTC”) genetic testing companies.  While some processing of genetic information is covered by federal law, the existing patchwork of federal genetic privacy protections do not clearly cover all forms of genetic testing, including DTC genetic tests.

Florida’s Protecting DNA Privacy Act

HB 833 was introduced in the Florida House of Representatives in February 2021 and signed by the governor in June.  HB 833 applies to DNA samples collected from a person in Florida, and regulates any person’s use, retention, disclosure, or transfer of another person’s DNA samples or analysis.  HB 833 amended Florida’s previous genetic privacy law, s. 760.40, F.S., to require that a person from whom the DNA is extracted gives “express consent” for a specified use of their genetic information.  Under the previous law, analyzing a person’s DNA without their informed consent was a first degree misdemeanor; however, under HB 833, unlawful use may be a felony, depending on the provision of the law violated.  Additionally, HB 833 states that the genetic information of the person from whom it is extracted is the “exclusive property” of that person to control.  While HB 833 does impose notable criminal penalties for those that violate it, there are a number of exceptions (e.g., criminal prosecution or other legal processes, medical diagnosis or treatment, or conducting or preparing research subject to federal law, including the Common Rule and the Health Insurance Portability and Accountability Act (“HIPAA”)).

HB 833 is not the only change to genetic privacy protections recently made in Florida.  In July 2020, Florida enacted HB 1189 that extended existing protections barring health insurers’ use of genetic information to long-term care and life insurers, including those that issue policies with disability insurance.  Specifically, HB 1189 prohibits these insurers from canceling, limiting, denying, or differing premium rates based on genetic information.  Further, HB 1189 bars the insurers from requiring or soliciting genetic information or test results, or using a consumer’s decision as to whether to take any actions related to genetic testing “for any insurance purpose.”

Additional DTC Genetic Privacy Laws and Bills

Earlier this year, Utah enacted SB 227, the Genetic Information Privacy Act, which imposes restrictions on DTC genetic testing companies, requiring specific privacy notices, security processes to protect consumer data, and the ability of a consumer to access and delete their own personal genetic data.  Similar to Florida’s HB 833, Utah’s SB 227 contains a requirement that DTC genetic testing companies obtain express consent for the collection, use, or disclosure of consumer genetic data.  Additionally, SB 227 specifically creates data de-identification requirements, including that the company in possession of the data impose specific measures to ensure data cannot be re-identified and “enters into legally enforceable contractual obligation that prohibits a recipient of the data from attempting to reidentify the data.”

Arizona also recently enacted HB 2069, the Genetic Information Privacy Act, which became effective last week on September 29.  HB 2069 also focuses on DTC genetic testing companies and is similar to Utah’s SB 227 in many respects (e.g., initial consent must be obtained to collect and use genetic data, followed by certain separate express consents for purposes beyond the initial use), but not all (e.g., the standard de-identifying genetic data).

The California state legislature has passed SB 41, its own Genetic Information Privacy Act, which has many of the same consent, privacy, and security mechanisms present in the Utah and Arizona laws.  The bill is currently sitting on the governor’s desk for signature.  SB 41 creates its own de-identification standard similar to that created in Utah’s SB 227.  Additionally, SB 41 requires a DTC genetic testing company comply with a consumer’s revocation of consent and destroy a consumer’s biological sample within 30 days of that revocation.  SB 41 is almost identical to a bill vetoed by the Governor last year due to concerns over interference with COVID-19 test result reporting to public health authorities.  However, SB 41 attempts to address the governor’s concerns by providing a carve-out for tests to diagnose a specific disease as long as genetic information obtained through this diagnostic test is treated as medical or protected health information.

Federal Genetic Privacy Landscape and Efforts

Current federal genetic privacy protections stem from several laws, including HIPAA, the Genetic Information Nondiscrimination Act of 2008, and the Federal Trade Commission’s ability to bring actions against “unfair” or “deceptive” business practices.  However, these laws do not cover all forms of genetic testing that a consumer may engage with, including DTC genetic tests.  There have been recent attempts to pass federal legislation to protect American’s personal health data.  In January 2021, Senators Amy Klobuchar and Lisa Murkowski introduced S.24, the Protecting Personal Health Data Act, which aims to broadly protect personal health data not covered by HIPAA.  Under S.24, “personal health data” includes “genetic information . . . that relates to past, present, or future physical or mental health or condition of an individual that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual” and states that DTC genetic testing services are covered as “services” under the bill.  However, to date, since being introduced, S.24 has been referred to the U.S. Senate Committee on Health, Education, Labor, and Pensions, but it has not otherwise moved.