On 1 July 2024, Germany has enacted stricter requirements for the processing of health data when using cloud-computing services. The new Section 393 SGB V aims to establish a uniform standard for the use of cloud-computing services in the statutory healthcare system which covers around 90% of the German population. In this blog post, we describe the specific new requirements for the processing of health and social data using cloud-computing. We will also discuss whether the new rules may impact medical research and other projects that utilize cloud-computing for processing health data.

1. Scope and Background of Sec. 393 SGB V

The new Section 393 SGB V (Social Security Code – Book V) has been enacted with the recent “Digital Act” (see our earlier blog on the Digital Act). The title of Section 393 SGB V is “Cloud-Use in the Healthcare System“. Hence, it aims to impose specific requirements for healthcare service providers, statutory health insurances and their contract data processors when they process health data and social data using cloud-computing services. According to the German legislator, the provision aims at enabling the secure use of cloud services as a “modern, generally widespread technology in the healthcare sector and to create minimum technical standards for the use of IT systems based on cloud-computing”.

The new requirements apply to data processing using cloud-computing irrespective of whether the cloud-computing is offered by an external vendor or utilizes a tool that the healthcare providers or health insurance has developed on their own.

The term “cloud-computing service” is defined in the law as “a digital service that enables on-demand management and comprehensive remote access to a scalable and elastic pool of shared computing resources, even if these resources are distributed across multiple locations” (Section 384 Sentence 1 No. 5 SGB V). This reflects the corresponding definition of cloud-computing in Article 6 (30) of the NIS2-Directive (EU) 2022/2555 on cybersecurity measures. Services that fall under this definition include, inter alia, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

With regard to the terms “health data” and “data processing”, we refer to the corresponding provisions of the GDPR. As far as the new rule applies to “social data”, this term refers to a specific legal concept in Germany that applies to personal data that is intended to be processed by health and other social security insurances.

In terms of timing, the new Section 393 SGB V applies as from 1 July 2024 – without any transition or grace period or grandfathering rules.

2. Consequences for Healthcare Providers and Cloud Service Providers

Under Section 393 SGB V the processing of health data by using cloud-computing services is subject to special requirements. Intended to ensure data security, these requirements include that the data (a) may only be processed in certain geographical regions, (b) that technical and organizational measures are taken so that cloud service providers meet certain security requirements.

a) Geographical Requirements and Data Transfer Issues

Geographically, Section 393 SGB V requires that health and social data may only be processed

  • In Germany,
  • In an EU or EEA member state, or
  • In a third country under an adequacy decision by the European Commission.

Moreover, the new rules require for all these cases that the data processing entity has a business establishment (“Niederlassung”) in Germany.

In conclusion, and in contrast to the requirements under the EU GDPR, Section 393 SGB V does not recognize the execution of the EU Standard Contractual Clauses (SCCs) or other means like Binding Corporate Rules as adequate guarantees for cloud-computing services when personal data is processed in a third country that is not subject to an adequacy decision by the European Commission.

b) Stricter Technical and Security Compliance Requirements

From a technical and organizational viewpoint, under Section 393 SGB V the processing of health and social data using cloud-computing services is subject to stricter requirements. As such, data processing using cloud-computing services need to be in compliance with these key conditions:

  • Appropriate technical and organizational measures have to be implemented to ensure data security.
  • A current C5 certificate is issued to the data processing entity with regard to the “C5 basic criteria” (see below) for the cloud systems and the technology used. The C5 (Cloud Computing Compliance Controls Catalogue) certificate is a cloud-computing standard developed by the German Federal Office for Information Security (“BSI“) to ensure cloud service providers meet specific security requirements. It outlines a comprehensive set of controls covering areas like data protection, incident management, and compliance with legal obligations.
  • The cloud-computing customer (i.e., the healthcare providers and/or insurances) must implement the conditions and criteria specified in the C5 certificate test report that. The C5 standard expects a shared responsibility between the customers and the cloud-computing service provider.

Until 30 June 2025, a C5 Type 1 certificate is considered “current” under Section 393 (4) SGB V. Thereafter, a new C5 Type 2 certificate is required. Certifications meeting equivalent security levels to BSI C5 may also be acceptable if so specified in a government ordinance to be issued by the German Federal Ministry of Health.

With respect to healthcare providers and health insurance companies, there are also some further technical and organizational requirements which these persons and entities have to meet when using cloud-computing services. These partly depend on the type of healthcare provider or institution concerned.

3. Implications for Medical Research with Pharmaceuticals and Medical Devices

Whether the new Section 393 SGB V also impacts the data processing in medical research projects is not fully clear. From the black letter of the law, certain health data and some medical research projects could be subject to the new requirements of Section 393 SGB V.

A number of medical and clinical research projects typically process health data from patients that are or were treated under the statutory health system. These projects especially include non-interventional studies with pharmaceuticals, post-market clinical follow up (PMCF) investigations with medical devices as well as registry studies that focus on a particular product or disease. Generally, research that involves real-world-data or aims to generate real-world-data appears relevant hereunder. Even clinical trials regularly process data from regular medical treatments that are conducted in the statutory health system so that the health data falls under Section 393 SGB V.

Therefore, the question arises whether the processing of health data for such medical research projects by healthcare providers and sponsor companies and their data processors (e.g., CROs) is also subject to the new compliance requirements of Section 393 SGB V if they use cloud-computing. The answer to this question is not straightforward but rather case-facts-dependent and requires a careful analysis of the individual circumstances.

While the risk appears low that clinical trials with pharmaceuticals, medical devices and diagnostics will be impacted by Section 393 SGB V, the situation appears different for studies that collect real-world data like non-interventional studies, PMCF studies or product/disease registries. For these, there is a risk that they may be subject to the requirements of Section 393 SGB V.

Relevant aspects to make an assessment for the respective research projects include the type of study/research, the origin of the processed health data, the technologies used for data processing and the legal status of the person processing the data.

4. Final remarks

With the new Section 393 SGB V, Germany has enacted new compliance and security requirements for the processing of health data when using cloud-computing services. The new requirements apply to healthcare providers, health insurances and their data processors and cloud-computing service providers that offer services to these groups. In this blog post, we have described the new technical, organizational and compliance requirements.

The new rules may also impact certain medical research projects that process (real-world) health data by using cloud-computing services. Such projects can include non-interventional studies with pharmaceuticals, PMCF studies with medical devices or (product/disease-focused) registry studies. Therefore, pharmaceutical and medical device companies should also review the potential impact of the new rules on their research activities.

The Life Sciences Team of Covington & Burling LLP in Frankfurt (Germany) will continue monitoring the developments in this area and is well positioned to assist clients in navigating through the various ongoing and upcoming legislative projects.

***

This update focuses on how growing quantum sector investment in the UK and US is leading to the development and commercialization of quantum computing technologies with the potential to revolutionize and disrupt key sectors.  This is a fast-growing area that is seeing significant levels of public and private investment activity.  We take a look at how approaches differ in the UK and US, and discuss how a concerted, international effort is needed both to realize the full potential of quantum technologies and to mitigate new risks that may arise as the technology matures.

Quantum Computing

Quantum computing uses quantum mechanics principles to solve certain complex mathematical problems faster than classical computers.  Whilst classical computers use binary “bits” to perform calculations, quantum computers use quantum bits (“qubits”).  The value of a bit can only be zero or one, whereas a qubit can exist as zero, one, or a combination of both states (a phenomenon known as superposition) allowing quantum computers to solve certain problems exponentially faster than classical computers. 

The applications of quantum technologies are wide-ranging and quantum computing has the potential to revolutionize many sectors, including life-sciences, climate and weather modelling, financial portfolio management and artificial intelligence (“AI”).  However, advances in quantum computing may also lead to some risks, the most significant being to data protection.  Hackers could exploit the ability of quantum computing to solve complex mathematical problems at high speeds to break currently used cryptography methods and access personal and sensitive data. 

This is a rapidly developing area that governments are only just turning their attention to.  Governments are focusing not just on “quantum-readiness” and countering the emerging threats that quantum computing will present in the hands of bad actors (the US, for instance, is planning the migration of sensitive data to post-quantum encryption), but also on ramping up investment and growth in quantum technologies. 

Continue Reading Quantum Computing: Developments in the UK and US

FDA recently announced that it will host a public workshop on August 6, 2024 focused on “Artificial Intelligence (AI) in Drug & Biological Product Development.”  Aimed at bringing drug sponsors and AI experts together, the workshop, hosted in collaboration with the Clinical Trials Transformation Initiative, will feature presentations and a panel discussion around guiding principles for the responsible use of AI in the development of safe and effective drugs and biological products. 

Per the Federal Register Notice, FDA plans to discuss the following topics at the workshop:

  1. Optimizing model design through multidisciplinary expertise (e.g., medicine, statistics, pharmacology, data science, and engineering) to ensure the development of optimal AI models.
  2. Exploring strategies for overcoming common data-related challenges, such as the availability of fit-for-use data that can be used in drug development, access via federated learning, data quality issues (e.g., representativeness of data, bias, etc.), and the use of synthetic data.
  3. Balancing model performance, explainability, and transparency of AI models, as well as strategies for assessing the need to integrate humans into the decision-making process (i.e., “human-in-the-loop” and/or “human-on-the-loop”).
  4. Identifying key gaps and challenges hindering the use of AI in drug and biological product development and exploring potential strategies, collaborations, and initiatives to address these challenges and advance the responsible use of AI in developing safe, effective, and quality drugs.

As we have discussed in other Covington Digital Health posts, FDA’s interests in AI used by drug and biological product sponsors is different from FDA’s framework for regulating some AI/ML-based software functions under its medical device authorities (i.e., software as a medical device), and this FDA workshop is the latest in a series of Agency actions specific to AI deployed by biopharma sponsors.  For example, FDA released two discussion papers last year that focused on the use of AI in drug and biological product development and in drug manufacturing, and more recently issued a Federal Register Notice introducing the “Emerging Drug Safety Technology Meeting” program, which will provide those involved in pharmacovigilance (PV) activities the ability to interact with CDER staff regarding the use of AI in the advancement of PV, including efforts to validate and verify relevant models.  This FDA workshop also precedes anticipated draft guidance from the Agency later this year on the use of AI and machine learning to support drug development, which will be informed by insights gained from the Agency’s review of submissions containing AI elements, as well as feedback received on the two discussion papers and the upcoming workshop.

Registration is free and open to the public.

On May 21, 2024, the UK Medicines and Healthcare products Regulatory Agency (“MHRA”) published a statement of policy intent for UK recognition of international regulatory approvals of certain medical devices (the “Statement”).  The Statement follows the Government response to the 2021 consultation on the future regulation of medical devices in the UK that details an intention to introduce alternative routes to market for medical devices, such as utilizing approvals from other countries and Medical Device Single Audit Program (“MDSAP”) certificates, in addition to the current UK Conformity Assessed (“UKCA”) marking process.

The MHRA has already taken similar steps in the medicines space, adopting a new International Recognition Procedure (“IRP”) in January 2024.

In relation to devices, the Statement applies to certain medical devices placed on the market in Great Britain.  For relevant devices, the MHRA proposes to recognize foreign approvals from regulators in Australia, Canada, EU/EEA and USA (which is a smaller number of acceptable regulators than under the MHRA’s IRP for medicines).  The Statement expressly excludes a number of medical devices from international recognition, including software as a medical device (“SaMD”) (including AI as a medical device (“AIaMD”)) and companion diagnostic products approved via US 510(k) (a route which relies on equivalence to a predicate).

The proposed framework is a draft and the final version is expected to come into force in 2025 at the same time as future core regulations.  It also remains the government’s intention to introduce transitional arrangements for UKCA marked devices at the same time.

Continue Reading UK MHRA Announces Intention To Recognize Certain International Approvals For Certain Medical Devices

On Friday, April 26, 2024, the Federal Trade Commission (“FTC”) voted 3-2 to issue a final rule (the “final rule”) that expands the scope of the Health Breach Notification Rule (“HBNR”) to apply to health apps and similar technologies and broadens what constitutes a breach of security, among other updates.  We previously covered the proposed rule, which was issued on May 18, 2023.

Continue Reading FTC Issues Final Rule to Expand Scope of the Health Breach Notification Rule

On April 30, 2024, the UK Medicines and Healthcare products Regulatory Agency (“MHRA”) outlined its strategic approach (“Approach”) to artificial intelligence (“AI”).  The Approach is a response to the UK Government’s white paper: a pro-innovation approach to AI regulation and subsequent Secretary of State letter of 1 February 2024, and is the culmination of 12 months’ work by the MHRA to ensure the risks of AI are appropriately balanced with the potential transformative impact of AI in healthcare.

AI in Healthcare

AI has the potential to revolutionize the healthcare sector and improve health outcomes at every stage of healthcare provision – from preventative care through to diagnosis and treatment.  AI can help in research and development by strengthening outcomes of clinical trials, as well as being used to improve the clinical care of patients by personalizing care, improving diagnosis and treatment, enhancing the delivery of care and health system efficiency, and supplementing healthcare professionals’ knowledge, skills and competencies. 

Continue Reading MHRA Outlines New Strategic Approach to Artificial Intelligence

In March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  Although the text has not yet been formally adopted by all the European institutions, a number of interesting points can already be highlighted.  This article focuses on the governance and enforcement of the EHDS; for an overview of the EHDS generally, see our first post in this series.

The final text of the EHDS was adopted by the European Parliament on 24 April 2024 and is expected to be formally adopted by the European Council in the coming months.

Continue Reading EHDS Series – 5: European Health Data Space Governance, Enforcement and Timelines

On April 22, 2024, the European Federation of Pharmaceutical Industries and Associations (“EFPIA”) issued a statement on the application of the AI Act in the medicinal product lifecycle. The EFPIA statement highlights that AI applications are likely to play an increasing role in the development and manufacture of medicines.  As drug development is already governed by a longstanding and detailed EU regulatory framework, EFPIA stresses that care should be taken to ensure that any rules on the use of AI are fit-for-purpose, adequately tailored, risk-based, and do not duplicate existing rules.  The statement sets forth five “considerations”:

Continue Reading EFPIA Issues Statement on Application of the AI Act in the Medicinal Product Lifecycle

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted. This article focuses on the implications for “wellness applications” and medical devices; for an overview of the EHDS generally, see our first post in this series.

The final text of the EHDS was adopted by the European Parliament on 24 April 2024 and is expected to be formally adopted by the European Council in the coming months.

Continue Reading EHDS Series – 4: The European Health Data Space’s Implications for “Wellness Applications” and Medical Devices

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.  This article focusses on the obligations of data users; for an overview of the EHDS generally, see our first post in this series.

We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.

Continue Reading EHDS Series – 3: The European Health Data Space from the Health Data User’s Perspective