Earlier this year, President Trump signed into law the Bipartisan Budget Act of 2018 (BBA), which incorporates provisions from the Creating High-Quality Results and Outcomes Necessary to Improve Chronic (CHRONIC) Care Act of 2017 and improves access to telehealth services in Medicare Advantage. Pub. L. No. 115-123. Among other provisions impacting Medicare Advantage Organizations (MAOs), the BBA authorizes MAOs to offer additional telehealth benefits as basic benefits beyond original Medicare (Part A and Part B) limitations. Id. at Div. E., Title III, Subtitle C, § 50323.
There are two papers in the May 15 volume of the Annals of Internal Medicine that discuss digital health applications and are illustrative of the topics being considered by physicians as they evaluate the adoption and impact of digital solutions. These papers serve as examples of the active dialogue taking place around the appropriate regulatory framework for digital health solutions and the increasing awareness of the need to embrace rapid innovation while at the same time ensuring these solutions work appropriately for the patients that use them.
The first is a paper by Dr. Andrew Auerbach, UCSF Division of Hospital Medicine, Dr. Aaron Neinstein, University of California, and Dr. Raman Khanna, University of California, entitled “Balancing Innovation and Safety When Integrating Digital Tools Into Health Care.” The paper proposes a “local evaluation” framework, which the authors believe “will likely replace formal evaluations” by the FDA, to ensure digitals tools are safely and effectively introduced into patient care at a particular institution or system. Specifically, recognizing that digital tools “evolve rapidly” and are “unlikely to be supported by evidence from preclinical trials,” the authors propose forming “digital diagnostics and therapeutics committees” at individual institutions to evaluate and monitor digital health tools. These committees would be modeled on existing pharmacy and therapeutics committees and would consist of groups of professionals with specific key competencies for analyzing digital tools, including information technologists and specialists in privacy and security. The committees would be responsible for evaluating digital tools prior to and following local deployment to ensure patient safety, data protection and the feasibility of using the solution from a financial perspective, including by assessing the lifetime cost of the solution. The authors suggest that local evaluation strikes the right balance between the need to maintain patient safety while encouraging and accommodating the rapid adoption of digital health solutions.
The second is a paper by Theodore Lee at the Yale Law School and Dr. Aaron Kesselheim from the Program on Regulation, Therapeutics, and Law (PORTAL), at Brigham and Women’s Hospital entitled “U.S. Food and Drug Administration Precertification Pilot Program for Digital Health Software: Weighing the Benefits and Risks.” The paper assesses the potential effects of the FDA’s Digital Health Software Precertification (Pre-Cert) Program and highlights the risk that, without modification, the program will “ascribe FDA validation” to digital health products “that have not established actual clinical benefits.” The key issue identified by the authors is that “a company may follow best practices for internally testing software but still develop products that prove to be unsafe” and, therefore, the Pre-Cert Program’s reliance on the quality of a company’s internal processes as a substitute for the standard clinical study process is, in the view of the authors, insufficient. Thus, while the authors recognize the benefits of the Pre-Cert Program and the need to expedite regulatory review of medical software more generally, they conclude that “safety and effectiveness standards for critical technologies cannot rely on manufacturer metrics over product performance” and that “adequate study of safety and effectiveness is needed at some point in [the product] lifecycle.” The paper provides some data to back up its words of concern, including citing a study that showed only 12 of 117 mobile apps intended to treat depression offered support based on accepted standards of care and that even those 12 apps inconsistently adhered to the standards. The authors are also somewhat critical of the Pre-Cert Program’s postmarket surveillance requirements and advocate augmenting those requirements with prospective trials and continual monitoring of real-world data.
These papers are good reminders of the need to balance the nimbleness and speed of digital innovation with the underlying objective of producing safe and effective products that provide real reductions in healthcare costs and improved patient outcomes. The papers also illustrates a range of perspectives on the topic—highlighting how regulators, physicians, developers and legal professionals continue to grapple with these competing factors and foreshadow a future in which regulation is continually calibrated as digital health offerings evolve and the impact on patients becomes more readily discernable. As our Digital Health team recently reported, FDA is continuing with the Pre-Cert Program and Commissioner Gottlieb made significant announcements last month and released FDA’s first draft of a Working Model for the Pre-Cert Program.
On 1 May, 2018 the Centre for Policy Studies (the “CPS”) published its latest paper on the UK’s National Health Service (the “NHS”) entitled “Powerful Patients, Paperless Systems: How New Technology Can Renew The NHS” (the “Paper”). The Paper advocates a “digital first NHS” that adopts a paperless system and enables patients to take full advantage of the continuing digitisation and integration of technology, often referred to as the Fourth Industrial Revolution (“4IR”).
To facilitate this change the Paper outlines three key targets that should be set by the Department of Health and Social Care, to be achieved by 2028:
- Move the NHS to a “digital first” platform and to aim to ensure that all interactions within the health service are digitally driven.
- Build an ecosystem of apps and innovation within and around the NHS, to improve patient service and control.
- Ensure that the savings made from automation and innovation are put back into frontline services and that budgets for staff R&D and technology training rise in line with overall NHS spending.
On April 26, Commissioner Gottlieb addressed the agency’s progress on FDA’s Digital Health Innovation Action Plan and announced several additional steps the agency is taking to advance the potential benefits of digital health. Here is a recap of the key updates:
(1) Launch of New FDA Program to Apply Digital Health to Drugs
As our readers are aware, FDA has provided little public insight to date around the Agency’s regulatory approach to digital health associated with pharmaceuticals (click here for information about our Digital Health team’s webinar on the topic). Commissioner Gottlieb recognized the regulatory uncertainty and announced that FDA will seek public input “on the right approach to incorporating software that’s designed to be used with prescription drugs” and “expand the opportunities to use digital health tools as part of drug development.” Specifically, FDA intends to:
- Request input on how FDA can support development of digital health tools for approved drugs, including how to properly regulate software that undergoes rapid cycles of innovation;
- Establish clear policies around how digital health tools can be baked into drug development programs;
- Clarify that not all FDA requirements apply every time a digital health tool is employed in relation to a prescription drug or by a pharmaceutical manufacturer;
- Enable sponsors to comply with regulatory requirements using digital health tools, such as post-market surveillance requirements; and
- Allow for new safety and efficacy claims to be supported by data collected through digital health solutions (e.g. increased activity, improved mood, or greater social interactions for patients treated for severe depression).
FDA has not yet opened the public docket, but stakeholders should consider providing input to FDA given the significance of the regulatory issues involved. The Commissioner noted that FDA intends to advance a new framework through guidance, presumably after seeking input through the public docket.
(2) Expansion and Public Input on the Pre-Certification Pilot Program
FDA took another step in developing the novel model for pre-market review of software devices and released a draft working model for the Pre-Certification program. The model describes four components: (1) excellence appraisal and precertification; (2) review pathway determination; (3) streamlined premarket review; and (4) real world performance. Under the model, developers of software as a medical device (SaMD) would be certified into one of two levels based on objective demonstration of commitment to five excellence principles and the developer’s prior experience delivering SaMD or medical devices. Whether a particular SaMD product by that developer requires premarket review would depend on the precertification level, the seriousness of the healthcare situation or condition addressed by the product, and the significance of the information provided by the product to a healthcare decision.
The working model includes a number of “challenge questions” on which the agency seeks input from stakeholders. The agency has stressed that the Pre-Cert program is intended to be an iterative, collaborative experience and is actively seeking stakeholder comments. FDA requested comments on the challenge questions for the working model by May 31, 2018. Comments may be submitted to the public docket electronically.
The agency also published a roadmap for next steps in the development of the program, under which the agency will launch “Pre Cert 1.0,” a first version of the program by the end of 2018, with further refinement of the program in 2019. There’s also been congressional interest in the program, which we’ll also continue to monitor for our clients.
On May 10, 2018, FDA will host an interactive user session to discuss the agency’s progress on the Pre-Cert pilot program, the working model, and the roadmap.
(3) New Framework for FDA’s Approach to Artificial Intelligence
Given the rapidly expanding use of AI-based technologies in health care, Commissioner Gottlieb announced that FDA was “actively developing a new regulatory framework to promote innovation . . . and support the use of AI-based technologies.” This includes applying the Pre-Cert program in a way that accounts for the ability of machine learning-based technologies to improve over time, by allowing pre-certified companies to make certain minor changes without premarket review. In addition, the agency will ensure that other aspects of the regulatory framework, “such as new software validation tools, are sufficiently flexible to keep pace with the unique attributes of this rapidly advancing field.”
FDA expects an increasing number of AI-based premarket submissions. The agency is working with AI experts to understand how AI-based technologies can be validated and “and how patients and providers can be confident that they’re reliable, unbiased, and will help improve health outcomes.” In addition, FDA will consider how to communicate to patients and providers the connection between decision-making in traditional health care settings and the use of these advanced technologies.
(4) Continued FDA Guidance Implementing the Cures Act: Multiple Functions Guidance
Pursuant to the agency’s Digital Health Innovation Action Plan, FDA issued a draft guidance, “Multiple Function Device Products: Policy Considerations,” addressing products that contain multiple functions, some of which are subject to FDA regulatory oversight as medical devices and others of which are not. The Center for Devices and Radiological Health (CDRH) and the Center for Biologics Evaluation and Research (CBER) issued the draft guidance, but the Center for Drug Evaluation and Research (CDER) did not join. The 21st Century Cures Act outlined a function-by-function approach to determining appropriate FDA regulation of health and medical software, and the Cures Act permits FDA to regulate only those software functions that meet the definition of a device, although the agency may consider the impact of the non-device software functions on the regulated device functions. While the Cures Act provision is specific to software, the new draft guidance applies to other types of products that include both device and non-device functions.
Stakeholders can submit comments on the draft guidance in the electronic docket through June 26, 2018.
(5) New Digital Safety Reporting for Drug and Biologic Clinical Trials
FDA will implement a new program to enable a unified data standard for meeting electronic reporting requirements under the expedited safety-reporting regulations of an Investigational New Drug application (IND). According to FDA, the program builds off a recently-completed pilot program assessing the feasibility of a digital submission process in which IND safety reports were transmitted to FDA as data that can be easily visualized and analyzed. The goal of the new digital framework is to significantly improve the efficiency and accuracy of the premarket safety submission and review process.
(6) New Digital Health Incubator at FDA: INFORMED
The agency is creating an internal data science incubator called the Information Exchange and Data Transformation, or INFORMED. Launched in collaboration with HHS Innovation, Design, Entrepreneurship and Action (IDEA) Lab, the incubator will focus on the “conduct of regulatory science research in areas related to health technology and advanced analytics related to cancer” to help modernize the framework for “advancing promising digital health tools.”
- Examine “modern approaches in evidence generation to support regulatory decisions,” with a special emphasis on oncology regulatory science;
- Develop new clinical endpoints and signal detection methods for evaluation of the safety and effectiveness of therapies;
- Develop new approaches for understanding variations in individual patient experience using diverse data sets from clinical trials, EHRs, and biometric monitoring devices; and
- Develop principles and definitions for the validity and strength of AI -derived evidence in the context of product approval and regulations.
On the April 25, 2018 the European Commission (the “Commission”) adopted a plan of action to enable the digital transformation of health and care in the Digital Single Market (the “Communication”), intended to put EU citizens at the centre of the healthcare system. This is to be achieved in three ways:
1. Citizens’ secure access to and sharing of health data
The Commission wishes to ensure that EU citizens should have secure access, anywhere in the EU, to a comprehensive electronic record of their health data. Citizens should remain in control of their health data (wherever it is located) and be able to share it securely with others for purposes chosen by those citizens, for example, medical treatment or research.
The Commission recommends the:
- development and adoption of a “European electronic health record exchange format”, which would expand the existing eHealth digital services infrastructure; and
- establishment of interoperable standards that would minimise barriers to cross-border transfer of health information and data within the EU and identify incentives for adopting the common format, and tackle practices that impede interoperability.
Reflecting evidence from 280 witnesses from the government, academia and industry, and nine months of investigation, the UK House of Lords Select Committee on Artificial Intelligence published its report “AI in the UK: ready, willing and able?” on April 16, 2018 (the Report). The Report considers the future of AI in the UK, from perceived opportunities to risks and challenges. In addition to scoping the legal and regulatory landscape, the Report considers the role of AI in a social and economic context, and proposes a set of ethical guidelines. This blog post sets out those ethical guidelines and summarises some of the key features of the Report. Continue Reading
On March 6, 2018, CMS announced the MyHealthEData initiative, which aims to give patients easier access to and control over their medical records.
Announcing the initiative, CMS Administrator Seema Verma laid out a future where individuals will have access to their health data wherever they go and be able to share data with the push of a button, with easy access to their entire medical history from birth, including data from health visits, claims, and information gathered through wearable technology.
According to Administrator Verma’s speech and a CMS announcement, the MyHealthEData program is a government-wide initiative that includes the following components:
Inflection Point for IoT
In a relatively short amount of time, the adoption of the Internet of Things (IoT) and its applications— from smart cars to the myriad of interconnected sensors in the General Service Administration building reminiscent of HAL 9000 from 2001: A Space Odyssey— has rapidly proliferated, providing significant opportunities and benefits. However, the increased ubiquity of IoT comes with heightened risks to security, privacy and physical safety and without a standardized set of cybersecurity requirements, many IoT devices and systems are vulnerable to attack. Earlier this month, the National Institute of Standards and Technology (NIST) (through the Interagency International Cybersecurity Standardization Working Group (IICS WG)) released a draft report to help both federal agencies and private companies plan and develop cybersecurity standards in their use and production of IoT components, products, systems and services. The draft report stresses the importance of coordination across the private and public sectors in developing standards to bolster the security and resilience of IoT, provides a snapshot of current international cybersecurity standards, and offers recommendations for gap-filling.
Mind the Gap
The draft report uses five market areas of IoT application (Connected Vehicles, Consumer IoT, Health IoT & Medical Devices, Smart Buildings and Smart Manufacturing) to provide a synopsis on the current state of play for international cybersecurity standards along the following core areas:
- Cryptographic Techniques
- Cyber Incident Management
- Hardware Assurance
- Identity and Access Management
- Information Security Management Systems
- IT System Security Evaluation
- Network Security
- Security Automation and Continuous Monitoring
- Software Assurance
- Supply Chain Risk Management
- System Security Engineering
While there are at least some established standards in most of these core areas, a few areas currently lack standards (namely, IT System Security Evaluation, Network Security and System Security Engineering). Indeed, even where standards have been established, consistent implementation across the five market areas are either lagging or nonexistent. For example, although some Hardware Assurance standards exist for the Connected Vehicles and Health IoT market areas, implementation has been lagging, while the same standards have yet to be implemented in the Consumer IoT, Smart Building and Smart Manufacturing market areas. This inconsistency in standards and adoption is explained by the draft report as a function of the traditional prioritization of cybersecurity in networks. Typically, cybersecurity focuses on confidentiality, integrity, and availability (in that order), but when an organization develops standards for IoT technologies, it’s important to consider how the IoT components interact with the physical world as well as each other when prioritizing; accordingly, cybersecurity for an IoT device may be ordered differently depending on the use case. For example, Hardware Assurance is likely the most important issue for a medical device such as a pacemaker while Identity and Access Management are likely paramount for Smart Buildings.
A New Standard of Care?
So why should private companies care about this draft report? NIST is a part of the Department of Commerce and unlike other standards bodies that are dependent on licensing revenues for funding, NIST’s work is effectively in the public domain. Some NIST standards (such as FIPS) become requirements for federal agencies and their contactors, particularly in the absence of clearly identified alternatives (the Department of Defense, for example, imposes the security controls found in NIST publication 800-171 on its contractors). Therefore, suppliers and contractors to government agencies will often be required to evaluate themselves against NIST standards in the absence of industry accepted alternatives.
Further, to the extent that NIST finalizes this report and establishes that there are approved cybersecurity standards that are characterized as mature, manufacturers and users of IoT devices may face an argument that following those standards is a standard of care to which they must adhere. In a typical common-law context, the standard of care is determined by asking what a reasonable and prudent person would do in the same circumstance. To be imposed as a standard of care, however, the cybersecurity standard also must have reasonable acceptance in the relevant community and impose a specific duty on a person or company. Though the NIST report does not yet represent such a standard, NIST’s view is persuasive to some sectors and available for companies without cost. Companies working in the US may want to consider the positions in this report in their planning sequences, perhaps to leverage the final version as a self-assessment tool to identify gaps and/or to confirm that certain named standards are not relevant to their organizations. Given that NIST is seeking feedback from the public, there is an opportunity for private companies to have meaningful input in the final version of this report.
The Clock is Ticking
At a time when the application of IoT is experiencing rapid growth across industries, NIST states that it hopes the report will inform and enable managers, policymakers, and Standards Developing Organizations as they seek to develop a holistic cybersecurity framework focused on security and resiliency. Although the benefits of IoT are significant, the draft report acknowledges that “the timely availability of international cybersecurity standards is a dynamic and critical component for the cybersecurity and resilience of all information and communications systems and supporting infrastructures.” Failing to establish effective standards could have significant consequences on current products and on how future products are developed.
Public comments to the draft report are being accepted until April 18, 2018 and can be submitted to NIST at NISTIRfirstname.lastname@example.org using the comment template available at https://csrc.nist.gov/publications/detail/nistir/8200/draft.
As 2018 gets underway, EHR vendors and users continue to face challenges and uncertainty. There are three legal and regulatory issues in particular that we think are important to watch over the next 10 months:
On February 1, 2018, Covington’s Digital Health team hosted a webinar examining U.S. and EU regulatory issues for digital health associated with pharmaceuticals. Here are some key takeaways from that webinar:
- Neela Paykel from Proteus Digital Health, noted that “you need to think outside the box for how to engage, whether you’re a pharma company or a digital health company. For pharmaceuticals, you have to understand that there’s more risk tolerance in the technology space. For digital health companies, you have to understand healthcare regulation and appreciate all the regulations pharmaceutical companies are dealing with on a regular basis.”
- Grant Castle from Covington’s London office described how “it’s tempting to think once you’ve understood the regulations, you can enter the market with a digital health product, but in many respects, that’s the start of the challenge. Systems for pricing and reimbursement of digital health offerings have yet to evolve fully. It can also be challenging for a pharmaceutical company to offer digital health products where regulations might prohibit pharmaceutical companies from providing incentives to healthcare professionals for its products. Such issues mean that you need to think strategically.” Sarah Cowlishaw added that digital technologies are being used in drug development, particularly to help collect real world evidence. Companies thinking about digital health in drug development need to consider other challenges such as data reliability, consent, and operability with other platforms.
- Christina Kuhn described how different centers within FDA might decide whether a digital health solution is regulated as a device and whether a digital health solution would affect a pharma company’s responsibilities for a drug. Wade Ackerman noted that “companies approaching FDA should think carefully about how to present FDA with the information it needs to understand and assess the digital health innovation. How companies approach the agency will depend on the particular digital health technology, including how it relates to a pharmaceutical product.”
Neela Paykel is general counsel at Proteus Digital Health. Wade Ackerman (Los Angeles), Grant Castle (London), Christina Kuhn (DC), Sarah Cowlishaw (London) are all members of Covington’s global Food, Drug, and Device Regulatory Group and part of Covington’s cross-practice Digital Health team. If you would like to view a recording of this webinar, please contact Jordyn Pedersen at email@example.com.