FDA Issues Updated Guidance on the Regulation of Digital Health Technologies

On September 26, 2019, the FDA issued two revised guidance documents addressing its evolving approach to the regulation of digital health technologies. These guidances primarily describe when digital health solutions will or will not be actively regulated by FDA as a medical device. In parallel, FDA also updated four previously final guidance documents to ensure alignment with the new approaches being adopted by the Agency.

As background, FDA issued draft guidance documents in December 2017 that sought to implement section 520(o)(1) of the Federal Food, Drug, and Cosmetic Act (“FDCA”), which was enacted by Congress in the 21st Century Cures Act of 2016 (the “Cures Act”). Those guidance documents raised a number of issues that we discussed on this previous alert.

After receiving comments from stakeholders, the Agency responded by issuing: (i) a revised draft guidance document for clinical decision support (CDS) software (“Clinical and Patient Decision Support Software” or the “CDS Draft Guidance”) and (ii) a final guidance document for other software functions exempted by the Cures Act (“Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act” or the “Software Policies Guidance”).

Here are key takeaways on FDA’s newly-issued guidance: Continue Reading

Ideation Question #3: Who Will Supply the Data?

By Nigel Howard and Libbie Canter on October 8, 2019 Posted in Data Security, Health Data, Medical Apps, Medical Devices and FDA

This is the third of our video posts on 10 questions that can help lawyers contribute to the digital health ideation process. Today’s video explores the question: who will provide the data used in the offering?

Ideation Question #2: Who Will Provide Aspects of the Offering?

By Priscilla Fasoro and David Wildman on October 1, 2019 Posted in Data Security, Digital Health, Health Data, Medical Apps, Medical Devices and FDA

This is the second of our video posts on 10 questions that can help lawyers contribute to the digital health ideation process. Today’s video explores the question: who will provide the various components of the offering?

European Parliamentary Research Service issues a briefing paper on implementing EU’s ethical guidelines on AI

By Marty Hansen, Sam Jungyun Choi, Gemma Nash and Laura Richardson on September 30, 2019 Posted in Artificial Intelligence (AI), Ethics, European Union, Internet of Things (IoT)

On 19 September 2019, the European Parliamentary Research Service (“EPRS”)—the European Parliament’s in-house research service—released a briefing paper that summarizes the current status of the EU’s approach to developing a regulatory framework for ethical AI. Although not a policymaking body, the EPRS can provide useful insights into the direction of EU policy on an issue. The paper summarises recent calls in the EU for adopting legally binding instruments to regulate AI, in particular to set common rules on AI transparency, set common requirements for fundamental rights impact assessments, and provide an adequate legal framework for facial recognition technology.

The briefing paper follows publication of the European Commission’s high-level expert group’s Ethics Guidelines for Trustworthy Artificial Intelligence (the “Guidelines”), and the announcement by incoming Commission President Ursula von der Leyen that she will put forward legislative proposals for a “coordinated European approach to the human and ethical implications of AI” within her first 100 days in office.

Commission relaunch of eHealth Stakeholder Group

By Sarah Cowlishaw and Katharine Kinchlea on August 21, 2019 Posted in Artificial Intelligence (AI), Cybersecurity, Data, Data Privacy, EU Data Protection, European Union, Health Data

On 13 August 2019, the European Commission opened a call for expression of interest to relaunch the eHealth Stakeholder Group with a view to supporting the “digital transformation of healthcare in the EU”. The eHealth Stakeholder Group was first launched in 2012 and in its first iteration (between 2012 and 2015), contributed to the development of the Digital Agenda for Europe on eHealth and the eHealth Action Plan. In 2016, the Commission relaunched the Stakeholder Group, and between 2016 and 2018, the group assisted with the Digital Single Market Strategy and the eHealth Action Plan 2012-2020.

The Commission is now seeking representatives of European umbrella organisations active in the eHealth sector to relaunch the stakeholder group for a term of three years. Selected stakeholders will be expected to provide advice and expertise contributing to policy development in particular in relation to the following areas:

Health Data.
Digital health services.
Health data protection and privacy issues.
Cybersecurity for health and care data.
Digital tools for citizen empowerment and person centred care.
Artificial intelligence and health.
Other cross cutting aspects linked to the digital transformation of health and care, such as financing and investment proposals and enabling technologies.

The group will also engage with, and seek input from representatives and organisations across society including academics, healthcare professionals, patient groups and the tech industry sector.

The call is open until 27 September 2019 and the selections criteria can be viewed on the Commission’s website here.

ICO publishes blog post on AI and trade-offs between data protection principles

By Mark Young, Sam Jungyun Choi and Gemma Nash on August 6, 2019 Posted in Artificial Intelligence (AI), Data Privacy

On July 25, 2019, the UK’s Information Commissioner’s Office (“ICO”) published a blog on the trade-offs between different data protection principles when using Artificial Intelligence (“AI”). The ICO recognizes that AI systems must comply with several data protection principles and requirements, which at times may pull organizations in different directions. The blog identifies notable trade-offs that may arise, provides some practical tips for resolving these trade-offs, and offers worked examples on visualizing and mathematically minimizing trade-offs.

The ICO invites organizations with experience of considering these complex issues to provide their views. This recent blog post on trade-offs is part of its on-going Call for Input on developing a new framework for auditing AI. See also our earlier blog on the ICO’s call for input on bias and discrimination in AI systems here.

French medicines regulator produces first in Europe medical devices cybersecurity guidelines

By Harriet Fletcher, Delphine Marchal and Sarah Cowlishaw on July 24, 2019 Posted in Cybersecurity, European Union

France’s medicines regulator, the Agence Nationale de Sécurité du Médicament et des Produits de Santé (ANSM), has released draft guidelines, currently subject to a public consultation, setting out recommendations for manufacturers designed to help prevent cybersecurity attacks to medical devices. Notably, the draft guidelines are the first instance of recommendations released by a national regulator in Europe that apply cybersecurity considerations specifically to medical devices. The full ANSM draft guidelines, ‘Cybersécurité des dispositifs médicaux intégrant du logiciel au cours de leur cycle de vie’ (‘Cybersecurity of medical devices integrating software during their life cycle’) published 19 July 2019, is available in French here, and in English here.

The draft guidelines note that while the European regulatory framework (the Medical Devices Regulation 2017/745 and In Vitro Diagnostic Medical Devices Regulation 2017 /746) has been modified “in line with technological developments” (e.g. “data exchange, monitoring, risk prediction and control software”) to include software within the definition of a medical device, and accompanying security and performance requirements specific to such medical devices incorporating software, the “[medical device and in vitro diagnostic medical device r]egulations do not explicitly refer to or elaborate on the notion of cybersecurity”. For the purposes of the guidelines, ‘cybersecurity’ is described as “the full set of technical or organisational measures set up to ensure the integrity and availability of a [medical device] and the confidentiality of the information held on or output by this [medical device] against the risk of targeted attacks.”

In overview, the draft guidelines require manufacturers to undertake risk assessments using both IT and medical device risk management methodology, and then align these approaches as part of manufacturers’ implementation of quality management systems. The recommendations are subdivided into areas representing different parts of the product life cycle, including: software design activity; initialization (first use); monitoring (post market management); and medical device software end of life.

The draft guidelines also make reference to the French ‘General Security Framework’ from which “the criteria of availability, integrity and confidentiality are the baseline objectives to fulfil in terms of security” and that “various documents and tools provided by the ANSSI [the French National Security Agency] are also applicable to [medical devices].” Further, the draft guidelines introduce a criterion of ‘auditability’ to be additionally addressed by medical device manufacturers.

ANSM has shared its work within this area with the European Commission in the hope that “the [European] regulations evolve to integrate [ANSM’s work]” as it is the first time that such recommendations have been drafted in the EU. The draft guidelines are currently subject to public consultation until 30 September 2019.

German Government Enacts Digital Care Act

By Liza Herberger on July 15, 2019 Posted in EHR/EMR, Health Data

The new Digital Care Act (Digitale-Versorgung-Gesetz) is part of Germany’s efforts to expand the digitization of the healthcare system in Germany. Germany has already been pursuing this path since the so-called ‘E Health Act’ from 2016. The aim of the ‘E-Health Act’ was to establish information and communication technology in healthcare. It focuses in particular on the development of the ‘electronic health card’ and the corresponding ‘electronic patient file’ for statutory health-insured people (see below for more information on such applications), the protection of the data stored in such files against unauthorised use, the creation of a secure ‘telematics infrastructure’, the improvement of the interoperability of healthcare IT systems, and the provision of telemedical services. The ‘telematics infrastructure’ will be an interoperable and compatible information, communication and security infrastructure for the use of the ‘electronic health card’ and the corresponding ‘electronic patient file’, its applications and other electronic applications in healthcare and health research.

The new Digital Care Act builds upon the ‘E-Health Act’ by focusing on the following: medical doctors will not only be allowed to prescribe traditional medicines and treatment methods to their patients, but also health apps. Such health apps may, for example, remind chronically ill people to take their medicine regularly, or provide a diary function where users can note their daily well-being. In the future, German statutory health insurances funds have to reimburse the costs of health apps under certain conditions. Initially, the health app shall be tested for data security, data protection and functionality by the German Federal Institute for Drugs and Medical Devices (‘BfArM’). After the successful test and launch, statutory health insurances will reimburse the costs provisionally for one year. During this period, the manufacturer of the health app must prove to the BfArM that its health app improves patient care. The reimbursement amount will be negotiated with the German Association of Health Insurance Funds (GKV-Spitzenverband).