ICO consults on privacy “regulatory sandbox”

By Joshua Gray on Posted in Artificial Intelligence (AI), Big Data, Data Security, EU Data Protection, Health Data, Internet of Things (IoT), Medical Apps

Designing data-driven products and services in compliance with privacy requirements can be a challenging process.  Technological innovation enables novel uses of personal data, and companies designing new data-driven products must navigate new, untested, and sometimes unclear requirements of privacy laws, including the General Data Protection Regulation (GDPR).  These challenges are often particularly acute for companies providing products and services leveraging artificial intelligence technologies, or operating with sensitive personal data, such as digital health products and services.

Recognising some of the above challenges, the Information Commissioner’s Office (ICO) has commenced a consultation on establishing a “regulatory sandbox”.  The first stage is a survey to gather market views on how such a regulatory sandbox may work (Survey).  Interested organisations have until 12 October to reply.

The key feature of the regulatory sandbox is to allow companies to test ideas, services and business models without risk of enforcement and in a manner that facilitates greater engagement between industry and the ICO as new products and services are being developed.

The regulatory sandbox model has been deployed in other areas, particularly in the financial services sector (see here), including by the Financial Conduct Authority in the UK (see here).

Potential benefits of the regulatory sandbox include reducing regulatory uncertainty, enabling more products to be brought to market, and reducing the time of doing so, while ensuring appropriate protections are in place (see the FCA’s report on its regulatory sandbox here for the impact it has had on the financial services sector, including lessons learned).

The ICO indicated earlier this year that it intends to launch the regulatory sandbox in 2019 and will focus on AI applications (see here).

Further details on the scope of the Survey are summarised below.

Continue Reading

UK Government publishes “Initial code of conduct for data-driven health and care technology” for consultation

By Joshua Gray on Posted in Artificial Intelligence (AI), Big Data, EU Data Protection, Government Contracting, Health Data, HIPAA and Data Privacy, Medical Apps, Personalized Medicine, UK National Health Service

On 5 September, in response to the opportunities presented by data-driven innovations, apps, clinician decision support tools, electronic health care records and advances in technology such as artificial intelligence, the UK Government published a draft “Initial code of conduct for data-driven health and care technology” (Code) for consultation.  The Code is designed to be supplementary to the Data Ethics Framework, published by the Department for Digital, Culture, Media and Sport on 30 August, which guides appropriate data use in the public sector.  The Code demonstrates a willingness of the UK Government to support data sharing to take advantage of new technologies to improve outcomes for patients and accelerate medical breakthroughs, while balancing key privacy principles enshrined in the GDPR and emerging issues such as the validation and monitoring of algorithm-based technologies.  For parties considering data-driven digital health projects, the Code provides a framework to help conceptualise a commercial strategy before engaging with legal teams.

The Code contains:

  • a set of ten principles for safe and effective digital innovations; and
  • five commitments from Government to ensure the health and care system is ready and able to adopt new technologies at scale,

each of which are listed further below.

While the full text of the Code will be of interest to all those operating in the digital health space, the following points are of particular note:

  • the UK Government recognises the “immense promise” that data sharing has for improving the NHS and social care system as well as for developing new treatments and medical breakthroughs;
  • the UK Government is committed to the safe use of data to improve outcomes of patients;
  • the Code intends to provide the basis for the health and care system and suppliers of digital technology to enter into commercial terms in which the benefits of the partnerships between technology companies and health and care providers are shared fairly (see further below); and
  • given the need of artificial intelligence for large datasets to function, two key challenges arise: (i) these datasets must be defined and structured in accordance with interoperable standards, and (ii) from an ethical and legal standpoint, people must be able to trust that data is used appropriately, safely and securely as the benefits of data sharing rely upon public confidence in the appropriate and effective use of data.

The Code provides sets out a number of factors consider before engaging with legal teams to help define a commercial strategy for data-driven digital health project.  These factors include: considering the scope of the project, term, value, compliance obligations and responsibilities, IP, liability and risk allocation, transparency, management of potential bias in algorithms, the ability of the NHS to add value, and defining the respective roles of the parties (which will require thinking beyond traditional research collaboration models).

Considering how value is created and realised is a key aspect of any data-driven digital health project, the Code identifies a number of potential options: simple royalties, reduced payments for commercial products, equity shares in business, improved datasets – but there is also no simple of single answer.  Members of Covington’s digital health group have advised on numerous data-driven collaborations in the healthcare sector.  Covington recently advised UK healthcare technology company Sensyne Health plc on pioneering strategic research and data processing agreements with three NHS Trust partners. Financial returns generated by Sensyne Health are shared with its NHS Trust partners via equity ownership in Sensyne Health and a share of royalties (further details are available here).

The UK Government also intends to conduct a formal review of the regulatory framework and assessing the commercial models used in technology partnerships in order to address issues such as bias, transparency, liability and accountability.

The UK Government is currently consulting on the Code (a questionnaire on the Code is available here) and intends to publish a final version of the Code in December.

Continue Reading

Medicare Policies Modified to Support Smart Devices Use for Sharing Glucose Data

By Esther Scherb and Shruti Barker on Posted in Uncategorized

The Centers for Medicare & Medicaid Services (CMS) recently announced that Medicare coverage policies would be revised “to support the use of [continuous glucose monitors] in conjunction with a smartphone, including the important data sharing function they provide for patients and their families.” In turn, the agency’s contractors, known as Medicare Administrative Contractors (MACs), modified their policies in part to recognize “the use of smart devices (watch, smartphone, tablet, laptop computer, etc.)” (see CMS and MAC announcements here and here). This recent shift is an important precedent for technologies that incorporate the use of electronic devices to display and share medical data, and may foreshadow flexibility in future federal policy development to support the important role smart devices are increasingly playing in communicating medical data.

By way of background, in January 2017, CMS issued a Ruling that therapeutic CGMs—i.e., those capable of monitoring blood glucose levels for making diabetes treatment decisions—may be covered by Medicare Part B as Durable Medical Equipment (DME). The Ruling also provided that, among other things, there must be a durable component capable of displaying the trending of the continuous glucose measurements. A continuous glucose monitor, or CGM, includes a dedicated receiver that tracks and displays glucose levels throughout the day. Several CGM systems currently on the market are capable of connecting to an individual’s smart device, which in turn allows patients to visualize their glucose measurements via app-based communication.

When the MACs issued a coverage policy to implement CMS’s Ruling, they limited the payment of supplies that are used in conjunction with CGMs relying on smart devices because the smart devices were not viewed as medical in nature given they were useful in the absence of an illness. After stakeholders voiced concerns about the restrictions, CMS revisited the issue to address concerns about the inability to share the displayed data with family members, physicians, and caregivers. In a revised Policy Article, the MACs address coverage for CGM systems that use a smart device to provide information, describing two scenarios where the CGM system would be covered:

  1. CGM supplies would be covered if the glucose data is displayed on the CGM receiver that meets the definition of DME, and is also transmitted to a smart device.
  2. Coverage of CGM supplies would be available in a situation where the beneficiary uses a CGM receiver on some days to review their glucose data, but also uses their smart device on other days. (If the beneficiary never uses the receiver that comes with the glucose monitor and qualifies as DME under the regulatory definition, then the CGM supply allowance is not covered by Medicare.)

Although the smart device is not considered DME, and use of supplies and accessories are covered only when the smart device is used in conjunction with a dedicated DME receiver, nevertheless, this policy acknowledges the practicalities of data sharing using smart devices. We continue to monitor this and other reimbursement developments relating to the use of smart devices.

Medicare Advantage Organizations Provided New Opportunities to Offer Telehealth Benefits

By Philip Peisch and Caroline Brown on Posted in Medicare, Telehealth

Earlier this year, President Trump signed into law the Bipartisan Budget Act of 2018 (BBA), which incorporates provisions from the Creating High-Quality Results and Outcomes Necessary to Improve Chronic (CHRONIC) Care Act of 2017 and improves access to telehealth services in Medicare Advantage. Pub. L. No. 115-123. Among other provisions impacting Medicare Advantage Organizations (MAOs), the BBA authorizes MAOs to offer additional telehealth benefits as basic benefits beyond original Medicare (Part A and Part B) limitations. Id. at Div. E., Title III, Subtitle C, § 50323.

Continue Reading

What physicians are reading about digital health

By Nigel Howard, David Wildman and Wade Ackerman on Posted in Regulatory Incentives

There are two papers in the May 15 volume of the Annals of Internal Medicine that discuss digital health applications and are illustrative of the topics being considered by physicians as they evaluate the adoption and impact of digital solutions.  These papers serve as examples of the active dialogue taking place around the appropriate regulatory framework for digital health solutions and the increasing awareness of the need to embrace rapid innovation while at the same time ensuring these solutions work appropriately for the patients that use them.

The first is a paper by Dr. Andrew Auerbach, UCSF Division of Hospital Medicine, Dr. Aaron Neinstein, University of California, and Dr. Raman Khanna, University of California, entitled “Balancing Innovation and Safety When Integrating Digital Tools Into Health Care.”  The paper proposes a “local evaluation” framework, which the authors believe “will likely replace formal evaluations” by the FDA, to ensure digitals tools are safely and effectively introduced into patient care at a particular institution or system.  Specifically, recognizing that digital tools “evolve rapidly” and are “unlikely to be supported by evidence from preclinical trials,” the authors propose forming “digital diagnostics and therapeutics committees” at individual institutions to evaluate and monitor digital health tools.  These committees would be modeled on existing pharmacy and therapeutics committees and would consist of groups of professionals with specific key competencies for analyzing digital tools, including information technologists and specialists in privacy and security.  The committees would be responsible for evaluating digital tools prior to and following local deployment to ensure patient safety, data protection and the feasibility of using the solution from a financial perspective, including by assessing the lifetime cost of the solution.  The authors suggest that local evaluation strikes the right balance between the need to maintain patient safety while encouraging and accommodating the rapid adoption of digital health solutions.

The second is a paper by Theodore Lee at the Yale Law School and Dr. Aaron Kesselheim from the Program on Regulation, Therapeutics, and Law (PORTAL), at Brigham and Women’s Hospital entitled “U.S. Food and Drug Administration Precertification Pilot Program for Digital Health Software: Weighing the Benefits and Risks.”  The paper assesses the potential effects of the FDA’s Digital Health Software Precertification (Pre-Cert) Program and highlights the risk that, without modification, the program will “ascribe FDA validation” to digital health products “that have not established actual clinical benefits.”  The key issue identified by the authors is that “a company may follow best practices for internally testing software but still develop products that prove to be unsafe” and, therefore, the Pre-Cert Program’s reliance on the quality of a company’s internal processes as a substitute for the standard clinical study process is, in the view of the authors, insufficient.  Thus, while the authors recognize the benefits of the Pre-Cert Program and the need to expedite regulatory review of medical software more generally, they conclude that “safety and effectiveness standards for critical technologies cannot rely on manufacturer metrics over product performance” and that “adequate study of safety and effectiveness is needed at some point in [the product] lifecycle.”  The paper provides some data to back up its words of concern, including citing a study that showed only 12 of 117 mobile apps intended to treat depression offered support based on accepted standards of care and that even those 12 apps inconsistently adhered to the standards.  The authors are also somewhat critical of the Pre-Cert Program’s postmarket surveillance requirements and advocate augmenting those requirements with prospective trials and continual monitoring of real-world data.

These papers are good reminders of the need to balance the nimbleness and speed of digital innovation with the underlying objective of producing safe and effective products that provide real reductions in healthcare costs and improved patient outcomes.  The papers also illustrates a range of perspectives on the topic—highlighting how regulators, physicians, developers and legal professionals continue to grapple with these competing factors and foreshadow a future in which regulation is continually calibrated as digital health offerings evolve and the impact on patients becomes more readily discernable. As our Digital Health team recently reported, FDA is continuing with the Pre-Cert Program and Commissioner Gottlieb made significant announcements last month and released FDA’s first draft of a Working Model for the Pre-Cert Program.

Summary of the CPS Paper on the Integration of Technology in the UK’s National Health Service

By Daniel Pavin and Jonathan Benjamin on Posted in Big Data, Health Data, Medical Apps, Personalized Medicine, UK National Health Service

On 1 May, 2018 the Centre for Policy Studies (the “CPS”) published its latest paper on the UK’s National Health Service (the “NHS”) entitled “Powerful Patients, Paperless Systems: How New Technology Can Renew The NHS” (the “Paper”). The Paper advocates a “digital first NHS” that adopts a paperless system and enables patients to take full advantage of the continuing digitisation and integration of technology, often referred to as the Fourth Industrial Revolution (“4IR”).

To facilitate this change the Paper outlines three key targets that should be set by the Department of Health and Social Care, to be achieved by 2028:

  1. Move the NHS to a “digital first” platform and to aim to ensure that all interactions within the health service are digitally driven.
  2. Build an ecosystem of apps and innovation within and around the NHS, to improve patient service and control.
  3. Ensure that the savings made from automation and innovation are put back into frontline services and that budgets for staff R&D and technology training rise in line with overall NHS spending.

Continue Reading

Inside FDA’s Latest Digital Health Developments: Gottlieb Sees “Vast Potential” Ahead

By Christina Kuhn and Covington Digital Health Team on Posted in Artificial Intelligence (AI), Medical Apps, Medical Devices and FDA

On April 26, Commissioner Gottlieb addressed the agency’s progress on FDA’s Digital Health Innovation Action Plan and announced several additional steps the agency is taking to advance the potential benefits of digital health. Here is a recap of the key updates:

(1) Launch of New FDA Program to Apply Digital Health to Drugs

As our readers are aware, FDA has provided little public insight to date around the Agency’s regulatory approach to digital health associated with pharmaceuticals (click here for information about our Digital Health team’s webinar on the topic). Commissioner Gottlieb recognized the regulatory uncertainty and announced that FDA will seek public input “on the right approach to incorporating software that’s designed to be used with prescription drugs” and “expand the opportunities to use digital health tools as part of drug development.” Specifically, FDA intends to:

  • Request input on how FDA can support development of digital health tools for approved drugs, including how to properly regulate software that undergoes rapid cycles of innovation;
  • Establish clear policies around how digital health tools can be baked into drug development programs;
  • Clarify that not all FDA requirements apply every time a digital health tool is employed in relation to a prescription drug or by a pharmaceutical manufacturer;
  • Enable sponsors to comply with regulatory requirements using digital health tools, such as post-market surveillance requirements; and
  • Allow for new safety and efficacy claims to be supported by data collected through digital health solutions (e.g. increased activity, improved mood, or greater social interactions for patients treated for severe depression).

FDA has not yet opened the public docket, but stakeholders should consider providing input to FDA given the significance of the regulatory issues involved. The Commissioner noted that FDA intends to advance a new framework through guidance, presumably after seeking input through the public docket.

(2) Expansion and Public Input on the Pre-Certification Pilot Program

FDA took another step in developing the novel model for pre-market review of software devices and released a draft working model for the Pre-Certification program. The model describes four components: (1) excellence appraisal and precertification; (2) review pathway determination; (3) streamlined premarket review; and (4) real world performance. Under the model, developers of software as a medical device (SaMD) would be certified into one of two levels based on objective demonstration of commitment to five excellence principles and the developer’s prior experience delivering SaMD or medical devices. Whether a particular SaMD product by that developer requires premarket review would depend on the precertification level, the seriousness of the healthcare situation or condition addressed by the product, and the significance of the information provided by the product to a healthcare decision.

The working model includes a number of “challenge questions” on which the agency seeks input from stakeholders. The agency has stressed that the Pre-Cert program is intended to be an iterative, collaborative experience and is actively seeking stakeholder comments. FDA requested comments on the challenge questions for the working model by May 31, 2018. Comments may be submitted to the public docket electronically.

The agency also published a roadmap for next steps in the development of the program, under which the agency will launch “Pre Cert 1.0,” a first version of the program by the end of 2018, with further refinement of the program in 2019. There’s also been congressional interest in the program, which we’ll also continue to monitor for our clients.

On May 10, 2018, FDA will host an interactive user session to discuss the agency’s progress on the Pre-Cert pilot program, the working model, and the roadmap.

(3) New Framework for FDA’s Approach to Artificial Intelligence

Given the rapidly expanding use of AI-based technologies in health care, Commissioner Gottlieb announced that FDA was “actively developing a new regulatory framework to promote innovation . . . and support the use of AI-based technologies.” This includes applying the Pre-Cert program in a way that accounts for the ability of machine learning-based technologies to improve over time, by allowing pre-certified companies to make certain minor changes without premarket review. In addition, the agency will ensure that other aspects of the regulatory framework, “such as new software validation tools, are sufficiently flexible to keep pace with the unique attributes of this rapidly advancing field.”

FDA expects an increasing number of AI-based premarket submissions. The agency is working with AI experts to understand how AI-based technologies can be validated and “and how patients and providers can be confident that they’re reliable, unbiased, and will help improve health outcomes.” In addition, FDA will consider how to communicate to patients and providers the connection between decision-making in traditional health care settings and the use of these advanced technologies.

(4) Continued FDA Guidance Implementing the Cures Act: Multiple Functions Guidance

Pursuant to the agency’s Digital Health Innovation Action Plan, FDA issued a draft guidance, “Multiple Function Device Products: Policy Considerations,” addressing products that contain multiple functions, some of which are subject to FDA regulatory oversight as medical devices and others of which are not.  The Center for Devices and Radiological Health (CDRH) and the Center for Biologics Evaluation and Research (CBER) issued the draft guidance, but the Center for Drug Evaluation and Research (CDER) did not join.  The 21st Century Cures Act outlined a function-by-function approach to determining appropriate FDA regulation of health and medical software, and the Cures Act permits FDA to regulate only those software functions that meet the definition of a device, although the agency may consider the impact of the non-device software functions on the regulated device functions. While the Cures Act provision is specific to software, the new draft guidance applies to other types of products that include both device and non-device functions.

Stakeholders can submit comments on the draft guidance in the electronic docket through June 26, 2018.

(5) New Digital Safety Reporting for Drug and Biologic Clinical Trials

FDA will implement a new program to enable a unified data standard for meeting electronic reporting requirements under the expedited safety-reporting regulations of an Investigational New Drug application (IND). According to FDA, the program builds off a recently-completed pilot program assessing the feasibility of a digital submission process in which IND safety reports were transmitted to FDA as data that can be easily visualized and analyzed. The goal of the new digital framework is to significantly improve the efficiency and accuracy of the premarket safety submission and review process.

(6) New Digital Health Incubator at FDA: INFORMED

The agency is creating an internal data science incubator called the Information Exchange and Data Transformation, or INFORMED. Launched in collaboration with HHS Innovation, Design, Entrepreneurship and Action (IDEA) Lab, the incubator will focus on the “conduct of regulatory science research in areas related to health technology and advanced analytics related to cancer” to help modernize the framework for “advancing promising digital health tools.”

INFORMED will:

  • Examine “modern approaches in evidence generation to support regulatory decisions,” with a special emphasis on oncology regulatory science;
  • Develop new clinical endpoints and signal detection methods for evaluation of the safety and effectiveness of therapies;
  • Develop new approaches for understanding variations in individual patient experience using diverse data sets from clinical trials, EHRs, and biometric monitoring devices; and
  • Develop principles and definitions for the validity and strength of AI -derived evidence in the context of product approval and regulations.

Summary of the European Commission’s eHealth Strategy

By Daniel Pavin and Jonathan Benjamin on Posted in EHR/EMR, Health Data, Medical Apps, Personalized Medicine

On the April 25, 2018 the European Commission (the “Commission”) adopted a plan of action to enable the digital transformation of health and care in the Digital Single Market (the “Communication”), intended to put EU citizens at the centre of the healthcare system.  This is to be achieved in three ways:

1. Citizens’ secure access to and sharing of health data

The Commission wishes to ensure that EU citizens should have secure access, anywhere in the EU, to a comprehensive electronic record of their health data. Citizens should remain in control of their health data (wherever it is located) and be able to share it securely with others for purposes chosen by those citizens, for example, medical treatment or research.

The Commission recommends the:

  • development and adoption of a “European electronic health record exchange format”, which would expand the existing eHealth digital services infrastructure; and
  • establishment of interoperable standards that would minimise barriers to cross-border transfer of health information and data within the EU and identify incentives for adopting the common format, and tackle practices that impede interoperability.

Continue Reading

Covington Artificial Intelligence Update: House of Lords Select Committee publishes report on the future of AI in the UK

By Laura Corbett, Franka Felsner and Miranda Cole on Posted in Artificial Intelligence (AI), Cybersecurity, Data Security, Health Data, Health Information Exchanges

Reflecting evidence from 280 witnesses from the government, academia and industry, and nine months of investigation, the UK House of Lords Select Committee on Artificial Intelligence published its report “AI in the UK: ready, willing and able?” on April 16, 2018 (the Report). The Report considers the future of AI in the UK, from perceived opportunities to risks and challenges. In addition to scoping the legal and regulatory landscape, the Report considers the role of AI in a social and economic context, and proposes a set of ethical guidelines. This blog post sets out those ethical guidelines and summarises some of the key features of the Report. Continue Reading

CMS Announces MyHealthEData Initiative to Promote Patient Access to Health Data

By Dena Feldman and Covington Digital Health Team on Posted in Data Security, EHR/EMR, Health Data, HIPAA and Data Privacy

On March 6, 2018, CMS announced the MyHealthEData initiative, which aims to give patients easier access to and control over their medical records.

Announcing the initiative, CMS Administrator Seema Verma laid out a future where individuals will have access to their health data wherever they go and be able to share data with the push of a button, with easy access to their entire medical history from birth, including data from health visits, claims, and information gathered through wearable technology.

According to Administrator Verma’s speech and a CMS announcement, the MyHealthEData program is a government-wide initiative that includes the following components:

Continue Reading

LexBlog