On September 28, the governor of California signed into law AB 2089, which expands the scope of California’s Confidentiality of Medical Information Act (“CMIA”) to cover mental health services that are delivered through digital health solutions and the associated health information generated from these services. 

Continue Reading California Expands the Scope of the CMIA to Cover Certain Digital Mental Health Services and Information

The UK has reaffirmed its commitment to leading the way in regulatory innovation in software as a medical device (“SaMD”) and artificial intelligence as a medical device (“AIaMD”).  On 17 October 2022, the UK Medicines & Healthcare products Regulatory Agency (“MHRA”) published its Guidance on “Software and AI as a Medical Device Change Programme – Roadmap.”  It builds on the Government response to consultation on the future regulation of medical devices in the UK and follows on from the Software and AI as a Medical Device Change Programme, which was published in 2021.  The MHRA has provided deliverables, which map out a course for change to the regulation of this sector.

Aim:

The MHRA’s primary aim is “to protect patients and public whilst ensuring that we accelerate responsible innovation.”  To achieve this, MHRA places emphasis on (A) safety; (B) clarity and streamlined processes (facilitated through guidance and designated standards); and (C) removing friction through a joined up offering for digital health in the UK and strengthening international convergence.

Approach:

At its core, the MHRA’s approach to developing the Roadmap is “patient centred” (noting that AIaMD raises broad questions for society) and highlights need for innovation in this sector to be inclusive across all populations.  The MHRA also wants to support manufacturers and so wants to provide tools to demonstrate conformity (working with BSI to develop standards and tools) and wants to reduce regulatory burdens on industry by driving international consensus.  To achieve this the MHRA intends to update the legislative regulatory framework for SaMD/AIaMD.  However, the majority of changes will be introduced through guidance.  The MHRA highlights that this approach is supported across the government and it has considered related areas of law when developing this framework for medical devices.

Work Packages:

The MHRA sets out a number of work packages (some as standalone packages and others nested within others).  Each package includes (i) a problem statement; (ii) the objectives that breakdown the problem; and (iii) specific deliverables that the MHRA will use to meet the objectives.  We have not covered them in detail but, in summary, these work packages cover:

  • WP 1 Qualification – the MHRA will address the lack of clarity on what qualifies as SaMD and software in a medical device, help manufacturers craft an intended purpose and clarify the concept of “manufacturer” for SaMD.
  • WP 2 Classification – reclassify software so the classification rules are proportionate to the risk.  The MHRA will reform the classification rules, explore the “airlock process” and provide guidance.
  • WP 3 Premarket Requirements – premarket requirements for software will be clarified so the requirements fit software.  The MHRA list six deliverables including reviewing the essential requirements, providing “Best practice” for development and deployment plus providing guidance on a number of topics (retrospective non-interventional studies, joint guidance with the Health Research Authority on governance of research and the importance of human-centered SaMD).
  • WP 4 Post Market – the MHRA highlights that it needs to obtain stronger safety signals for SaMD.  The MHRA will look at adverse incidents for SaMD, change management plus predetermined change control plans/protocols and best practice for expanding the intended purpose of medical devices.
  • WP 5 Cyber Secure Medical Devices – the current regulations do not consider cyber security vulnerabilities.  The MHRA will consider cyber security requirements, management of unsupported software devices (i.e., when manufacturers exit the market) and reporting of vulnerabilities.
  • WP 9 AI RIGOUR – the MHRA notes the lack of clarity on how devices using AI can best meet medical device requirements.  The MHRA intends to develop good machine learning guidance to supplement the good machine learning guiding principles published last year (see our previous blog post here).  Alongside BSI, it will map out and develop standards.  It will also develop best practice guidance and consider experimental work to detect, measure and correct for bias.
  • WP 10 Project Glass Box (Interpretability) – current regulatory requirements do not consider adequately interpretability of AIaMD and the impact this has on safety and efficacy.  The MHRA will develop best practice guidance on “human-centered SaMD” and will produce standards on the development of trustworthy AI.
  • WP 11 – Project Ship of Theseus (Adaptivity) – current systems on the notification and management of change do not fit AIaMD.  The MHRA will thus create guiding principles on adaptivity and change management, explore the concept of “drift” and significant/substantial change and set out proposals for predetermined change control plans for SaMD and AIaMD.

The MHRA intends to publish deliverables in a step-wise manner.  Industry should expect to see the first sub-set of deliverables by the end of this year. 

Comment:

The UK indicated a potential benefit of leaving the EU was that it could develop a world-leading regulatory framework.  However, there has been little in the Government’s response to the Consultation on the future regulation of medical devices in the UK that would make the UK “world-leading.”  Arguably, at best many of the suggested changes merely align the UK with other jurisdictions and at worst add additional regulatory hurdles.  However, the MHRA’s latest announcements suggests that for the SaMD and AIaMD space the UK Government is committed to being world-leading and supporting innovation in a patient centered way.  The MHRA is driving forward the development of practical guidance and standards, the lack of which is often bemoaned by those working in this sector.  However, the MHRA seems alive to the issue of creating frameworks/requirements that add burdens and so is emphasizing its aim to align not only with other areas in the UK (including NICE, CQC and HRA) but also internationally.  This could be an area in which the UK is able to take a leading role in creating a regulatory system to protect patients and promote innovation.

Digital health technologies, including algorithms for use in health care, are being developed to aid healthcare providers and serve patients, from use with administrative tasks and workflow to diagnostic and decision support.  The use of artificial intelligence (“AI”) and machine learning algorithms in health care holds great promise, with the ability to help streamline care and improve patient outcomes.  At the same time, algorithms can introduce bias if they are developed and trained using data from historical datasets that harbor existing prejudices.  Both state and federal governments have taken steps to address the potential for racial and ethnic disparities in use of algorithms by healthcare facilities, demonstrating that this continues to be a top priority as new technologies are deployed in health care.

California Attorney General Rob Bonta recently sent letters to 30 hospital CEOs across the state requesting information about how healthcare facilities and other providers are identifying and addressing racial and ethnic disparities in software they use to help make decisions about patient care or hospital administration.  The press release stressed the importance of identifying and combatting racial health disparities in healthcare algorithms, and the AG’s letter seeks information such as a list of all decision-making tools or algorithms the hospitals use for clinical decision support, health management, operational optimization, or payment management; the purposes for which these tools are currently used and how they inform decisions; and the names of the persons responsible for ensuring they do not have a disparate impact based on race.  Responses are due to the AG by October 15. 

The federal government also has made disparities in health care a top priority.  For example, the Department of Health and Human Services (HHS) recently issued a proposed rule regarding nondiscrimination in health programs and activities.  Amongst other proposals aimed at combatting discrimination, HHS proposed provisions related to nondiscrimination in the use of clinical algorithms in healthcare decision-making and in telehealth services.  Proposed § 92.210 states that “a covered entity must not discriminate against any individual on the basis of race, color, national origin, sex, age, or disability through the use of clinical algorithms in its decision-making.”  The proposed rule notes that a covered entity would not be liable for clinical algorithms they did not develop, but HHS proposes to impose liability for any decisions made in reliance on clinical algorithms if they rest upon or result in discrimination.  The proposed rule noted that the Department “believes it is critical to address this issue explicitly in this rulemaking given recent research demonstrating the prevalence of clinical algorithms that may result in discrimination.”  Comments are due to HHS by October 3.  HHS specifically seeks input on whether the provision should include additional forms of automated decision-making tools beyond clinical algorithms; whether the provision should include potential actions covered entities should take to mitigate discriminatory outcomes; and recommendations on how to identify and mitigate discrimination resulting from the usage of clinical algorithms.

These state and federal actions, as well as the associated responses, could inform ongoing dialogue about how to advance the use of digital health technologies while in parallel making progress to address inequities in health care.

The Medical Device Coordination Group (“MDCG”) has published a new position paper (MDCG 2022-14) acknowledging the significant and urgent lack of capacity of EU notified bodies.  It acknowledges the risk that this could lead to many existing and new medical devices and in vitro diagnostic medical devices (“IVDs”) not undergoing timely conformity assessments under Regulation (EU) 2017/745 (the “MDR”) or Regulation (EU) 2017/746 (the “IVDR”) (together, the “Regulations”)).  In turn, this could mean patients miss out on access to, potentially, lifesaving medical devices and IVDs.  As such, the MDCG has suggested actions for mitigating such challenges.  Importantly, there is a focus on flexibility and pragmatism.

Background

The introduction of the Regulations has meant that many new and existing medical devices and IVDs will need to undergo a conformity assessment by a notified body in the next few years in order to continue to be placed on the market in the EU. Additionally, the Regulations require the re-designation of notified bodies to allow them to conduct conformity assessments under the Regulations. The time-consuming process of such re-designation has led to there being an insufficient number of notified bodies available to conduct conformity assessments under the Regulations.

Thus, a lack of notified body capacity and a large number of devices requiring conformity assessment means there is a risk devices will not be CE marked prior to expiry of applicable transitional provisions, which could result in a disruption to the supply of devices and a significant knock-on impact for patients. 

The MDCG’s latest publication both recognizes and attempts to assuage these concerns by proposing counter-actions aimed to “enhance notified body capacity, access to notified bodies and manufacturers’ preparedness in order to facilitate transition to the MDR and IVDR and to avoid shortage of medical devices”.

This blog post seeks to summarize the MDCG’s recommendations.

Increase notified body capacity

The MDCG makes eleven (11) recommendations that aim to increase notified body capacity.

It advises that notified bodies:

  • use hybrid audits;
  • avoid unnecessary duplication of work (e.g., by leveraging evidence and previous assessment results generated under the prior directives);
  • rationale and streamline internal administrative processes; and
  • be flexible when carrying out “appropriate surveillance” of legacy devices (e.g., by combining audits under the prior directives and the Regulations).

Relevant parties are advised to:

  • foster capacity-building in new and existing notified bodies; and
  • make every effort to speed up the process for designation and notification of conformity assessment bodies.

The MDCG commits to:

  • review its guidance to “eliminate [the] administrative workload” of notified bodies”;
  • explore ways of adding codes to the designation of notified bodies in a timely manner (looking at the depth of assessment and ways to make it faster); and
  • prioritize its own actions aimed at contributing to notified body capacity (including revision of its guidance on the meaning of “personnel employed by the notified body”, MDCG 2019-6 rev. 3).

Additionally, the MDCG calls for the Eudamed framework, which allows machine-to-machine upload of information, to be developed and deployed as soon as possible.

Finally, and importantly, the MDCG clarifies the status of its guidance and how it should be used.  It states:

As regards the status of MDCG guidance documents, MDCG reminds that their main objective is to assist economic operators, notified bodies and competent authorities to apply the legal requirements in a harmonised way, providing possible solutions endorsed by the MDCG. Having regard to the status of guidance documents, economic operators and notified bodies should be allowed flexibility as to how to demonstrate compliance with legal requirements. Moreover, reasonable time needs to be given to integrate new guidance in the relevant systems and/or to apply them. That means that new guidance should not be applied to ongoing processes or applications already launched by a conformity assessment body for designation and/or a manufacturer for conformity assessment, unless application of such guidance yields increased efficiency of the process.” (emphasis added)

Thus, the MDCG takes a pragmatic approach by indicating that those undergoing assessments under the Regulations should not have to contend with new guidance published after an application has been submitted moving the goal posts mid-assessment.  Rather, new guidance should apply only to subsequent applications.


Increase access to notified bodies

The second category of MDCG suggestions are those focusing on “access to notified bodies”. The first of these emphasizes the obligation of notified bodies to make their standard fees publicly available, to allow manufacturers, particularly SMEs that may have fee concerns, to make informed decisions. The MDCG also suggests that notified bodies develop schemes to allow allocation of capacity for SME manufacturers and first-time applicants, ensuring that such entities have access to the requisite conformity assessments.

Increase preparedness of manufacturers

The MDCG’s position paper also offers suggestions with respect to increasing the preparedness of manufacturers.  The MDCG reiterates its previous advice of ensuring timely compliance with MDR and IVDR requirements (MDCG 2022-11).  However, it notes that notified bodies can support this as the MDCG also encourages “structured dialogues” between notified bodies and manufacturers both before and during the conformity assessment, where these will enhance the efficiency and predictability of the process.

The MDCG recommends that all parties involved in the assessment process increase communication and educational offerings to manufacturers via webinars, workshops, and targeted feedback sessions. The MDCG provides the example of notified bodies working on common application guidelines for manufacturers, alongside national authorities promoting engagement with relevant stakeholders at national level.

Other actions facilitating transition to MDR/IVDR and/or shortage of devices

In its final category of recommendations, the MDCG generally encourages greater pragmatism and a reduction in the complexity of conformity assessments for safe and effective legacy devices (including orphan devices). In pursuit of such, the MDCG proposes:

  • The publication of additional guidance in respect of the practical application of Article 61 MDR (clinical evaluation), and possibly Article 56 IVDR (performance evaluation and clinical evidence), and to make appropriate use of the MDCG’s guidance on clinical evaluation equivalence for legacy devices.
  • The publication of specific guidance (including a definition) on so-called ‘orphan devices’.
  • Encouraging medicines authorities to accept and efficiently process consultations by notified bodies regarding medical devices incorporating ancillary medical substances and companion diagnostics.  In particular, allowing expedited reviews for devices already certified following consultation with a medicines authority under the prior directives.  

The MDCG also notes that it will endeavour to formulate a “coordinated, transparent and coherent approach” in respect of derogations from applicable conformity assessment procedures (i.e., in the interest of public health, patient safety or patient health).

Comment

Although this is merely a position paper, it shows that the MDCG and regulators are acutely aware of the lack of capacity of notified bodies and the impact of the delay in notified body review. Whether these recommendations will lead to any concrete changes is yet to be seen but the recommendations may encourage notified bodies to take a more pragmatic and flexible approach to the conformity assessment of medical devices and IVDs.  This could help manufacturers complete the conformity assessment (and ultimately CE mark their devices) under the Regulations more efficiently. The further guidance that the MDCG indicates is forthcoming is also encouraging.

On June 23, 2022, the German Federal Office for Information Security (“Office”) published technical guidelines on security requirements for healthcare apps, including mobile apps, web apps, and background systems.  Although the technical guidelines are aimed at healthcare app developers, they contain useful guidance for developers of any app that processes or stores sensitive data.

The guidelines set out a number of security levels and a security risk assessment.  The risk assessment takes into account the following aspects: (1) the apps’ purpose; (2) its architecture; (3) the source code; (4) third party software integrations; (5) cryptographic implementation; (6) authentication mechanisms; (7) data storage and protection; (8) auditing of paid resources; (9) network communication; (10) platform-specific interactions; and (11) resilience.  The guidelines also include specific security requirements for digital healthcare apps with biometric authentication mechanisms.

The guidelines are based on state-of-the-art security techniques used in the healthcare sector and the Office’s findings in several of its projects.  They also take into account feedback received from industry stakeholders, the German Federal Institute for Drugs and Medical Devices, and the German Federal Commissioner for Data Protection and Freedom of Information.

The Office offers a certification to healthcare apps that comply with the guidelines.

On April 6, 2022, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) published a request for information (“RFI”) seeking public comment on implementing certain provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, indicating that a rulemaking or further guidance related to the HITECH Act may be forthcoming.  Specifically, the RFI seeks input as to how covered entities and business associates are voluntarily implementing recognized security practices.  OCR will consider the implementation of such practices when making certain determinations relating to the resolution of potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.  The RFI also seeks input on the process for distributing to harmed individuals a percentage of civil monetary penalties (“CMPs”) or monetary settlements collected pursuant to the HITECH Act.  Although HIPAA does not provide a private right of action, the potential for sharing in monetary penalties or settlements could incentivize individuals to report potential HIPAA violations to OCR.

Continue Reading OCR Seeks Comments Related to Recognized Security Practices and Distribution of Civil Monetary Penalties under the HITECH Act

On March 2, 2022, the Office of Inspector General (“OIG”) for the Department of Health and Human Services (“HHS”) posted an advisory opinion concluding that a digital program for the treatment of substance use disorders would raise minimal fraud and abuse risk.  OIG advisory opinions address the application of certain fraud and abuse enforcement authorities to the requesting party’s existing or proposed business arrangements.

Advisory Opinion No. 22-04 is notable given OIG’s consideration of the unique aspects of the requestor’s digital treatment program, which provides digital tools and contingency management incentives (“CM Incentives”), including cash equivalents, in order to motivate behavioral health changes in individuals who suffer from substance use disorders.  As digital health companies consider unique offerings to improve health outcomes and reduce costs, this advisory opinion provides some guidance on potential guardrails for designing digital health offerings.  The advisory opinion also follows the recent release of a Healthcare Common Procedure Coding System (“HCPCS”) code for qualifying digital therapeutics by the Centers for Medicare and Medicaid Services (“CMS”).  These developments will continue to support digital health companies, as well as drug or device manufacturers considering digital health offerings that complement their products (e.g., drug adherence apps and companion apps to smart devices), in navigating the complex and evolving digital health market.

Background on the Program

OIG issued the opinion in response to a request submitted on behalf of a digital health company (“Requester”).  Requester contracts with a variety of entities, including health plans, addiction treatment providers, employee assistance programs, and other institutions (“Customers”), to provide substance abuse treatment services and CM Incentives to individuals through smartphone and smart debit card technology.  Requester certified that the program is evidence-based, protocol-driven, and consistent with published principles issued by the National Institute on Drug Abuse.

Program Enrollment and Operation

Individuals may be referred to the program by a Customer or may self-refer.  An enrollment specialist, under the supervision of a licensed clinical supervisor, determines what type of services are appropriate for individuals enrolled in the program (each a “Member”).  For example, Members might receive the following services from the Requestor via smartphone:

  • Automated appointment reminders and attendance verification;
  • Medication reminders and self-administration verification;
  • Saliva drug testing, breathalyzer alcohol testing, Smokerlyzer CO testing for tobacco, and saliva cotinine testing for e-cigarettes, all verified via self-video;
  • Self-guided cognitive behavioral therapy (“CBT”) modules;
  • Various surveys and assessments;
  • Certified recovery coaching;
  • Community reinforcement and family training; and
  • Daily support groups.

Requestor is not a provider or supplier under any Federal health care program.  However, Members may or may not receive federally reimbursable services (e.g., a federally-reimbursable counseling session) from another supplier or provider, including from a Customer.

Services are provided and CM Incentives are distributed according to an evidence-based, automated algorithm over a 12-month period, which is divided into three phases of approximately four months each.  During the initial  “anchor” phase, the Member undergoes frequent substance testing and receives active CM Incentives for achieving specified behavioral health goals.  During the second “build phase,” substance testing frequency and CM Incentives decrease.  Finally, the “maintenance phase” reinforces behavioral health goals through non-incentive reinforcements.

Requestor provides CM Incentives through a smart debit card.  Members are eligible to receive CM Incentives based on (1) verified substance tests consistent with medical expectations (70% of potential CM Incentives); (2) treatment attendance (20%); and (3) completion of self-guided CBT modules and other features, including follow-up self-assessments (10%).  CM Incentives are capped at $200 per month, with an annual maximum of $599.00 per Member per year.

Customer Payment for the Program

Requestor contracts with various Customers, and individual Members and their families can also pay for the Program directly.  Requester offers two payment models: a flat monthly fee per eligible, active Member and a pay-for-performance model, under which Requestor is paid upon a Member achieving certain agreed-upon abstinence targets.

CM Incentives are held in reserve until the Member has successfully met specified targets.  When a Member does not engage with the application during a given month, the system designates that Member as “inactive.”  Customers are not billed any fees for inactive Members, and unspent CM Incentive fees are held in reserve until the Member becomes active again.

Legal Analysis

OIG found that two aspects of the program could potentially implicate the Federal anti-kickback statute (“AKS”) and the Beneficiary Inducements CMP.  First, even though Requestor does not bill Federal health care programs, it does collect fees from Customers and provide services that could incentivize a Member to receive a federally billable service (e.g., a federally-reimbursable counseling session).  Additionally, there is at least a theoretical risk that a Customer could pay Requestor’s fees to generate business or reward referrals of federally reimbursable services.  Some of the fees a Customer pays are passed on to Members as CM Incentives, based in part upon utilization of services that could be billable to Federal health care programs by another provider or supplier, including the same Customer.

Nonetheless, OIG determined that the program presents a minimal risk of fraud and abuse for four reasons.

  1. The program is protocol-driven and evidence-based.  Requestor cited reputable sources stating that CM is “highly effective” and “cost-efficient” for the treatment of substance abuse disorders.
  2. The risk of overutilization of federally reimbursable services is low.  According to OIG, the CM Incentives have a “relatively low [monetary] value.”  Additionally, a substantial portion of CM Incentives are not tied to federally payable services, and the Requester itself never bills Federal health care programs for services furnished.
  3. The risk is low that a Customer would pay Requestor’s fees to generate business or reward referrals of federally reimbursable services.  The fees paid by Customers do not vary based on the volume or value of federally reimbursable services rendered by that Customer.  Instead, the program is protocol-driven and set by the Requestor.
  4. Safeguards mitigate the risk of fraud and abuse associated with cash and cash-equivalent remuneration.  Requestor has full control over what services a Member needs and what CM Incentives are attached to such services.  Additionally, the smart debit card cannot be used at bars, liquor stores, casinos, or certain other locations and cannot be used to convert credit to cash.  The Requestor can also monitor use of the smart debit card, allowing recovery coaches and providers to be alerted in the event of a blocked purchase.

On January 25, 2022, Senators Patty Murray and Richard Burr (Chair and Ranking Member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, respectively) released a “discussion draft” of bipartisan legislation—the Prepare for and Respond to Existing Viruses, Emerging New Threats, and Pandemics Act (“PREVENT Pandemics Act”)—which contains notable provisions related to digital health.  This post highlights three items of potential interest for stakeholders in the space.

  1. Future FDA Digital Health Guidance

Section 502 of the discussion draft, titled “Modernizing Clinical Trials,” would require FDA to issue three draft guidances:

  • The appropriate use of digital health tools in clinical trials to help improve recruitment, participation, and data collection. This draft guidance also would include recommendations for “increasing access to, and the use of, [digital health tools] in clinical trials to facilitate the inclusion of diverse and underrepresented populations.”
  • Use of decentralized clinical trials to support the development of drugs and devices, improve trial participant engagement, and advance the use of flexible and novel clinical trial designs. Similar to the above, this FDA draft guidance would also include recommendations on how to encourage diversity among clinical trial participants.
  • Use of seamless, concurrent, and other innovative clinical trial designs to support the expedited development and review of applications for drugs and biological products.

FDA would have to issue all three drafts within one year after date of enactment of the Act.  Notably, if these guidance directives are enacted, FDA also would need to assess how the required guidance documents intersect with existing FDA guidance, such as the December 2021 draft guidance titled Digital Health Technologies for Remote Data Acquisition in Clinical Investigations.

Watch this provision as it moves through the legislative process, as the topics and subtopics of the guidance directive could evolve and impact the content and timing of future FDA guidance relating to digital health technologies.

  1. Advancing Real-World Data and Real-World Evidence (RWD/E)

The last few months have seen increased FDA activity in the RWD/E front, with RWE playing a key role in notable regulatory decisions made by the Agency (see here and here).  Indeed, the Agency issued four new RWD/E guidance documents as part of the 21st Century Cures Act requirements, and made further RWD/E-related commitments as part of PDUFA VII for fiscal years 2023 through 2027.  The PREVENT Pandemics Act discussion draft makes clear that advancing RWD/E continues to be a topic of interest for Congress as well.  Section 505 of the discussion draft, titled “Facilitating the Use of Real World Evidence,” would require FDA to issue or revise guidance on the use of RWD/E to support regulatory decision making, including with respect to RWD/E from products authorized for emergency use (i.e., under an EUA pursuant to section 564 of the FDCA).  Not later than one year after enactment, FDA would have to issue or revise guidance that addresses the use of RWD/E to support the approval of a drug application (or clearance or classification of a device).  The guidance also would need to address considerations for the inclusion in such applications or submissions of RWD/E obtained as a result of the use of drugs or devices authorized by an EUA.

Watch for additional attention on advancing use of RWD/E.  In addition to the four recent draft guidances, CDER recently issued a 2022 guidance agenda that includes two new RWD/E draft guidances.

  1. Global Harmonization

Global harmonization continues to be a priority in the digital health space, with U.S., UK, and Canada regulators recently developing joint guiding principles for Good Machine Learning Practices.  Section 502 of the discussion draft requires FDA to continue its work with foreign regulators to facilitate international harmonization of regulation and use of decentralized clinical trials, digital health tools leveraged in clinical trials, and clinical trial designs.

Watch for more focus on the need for global coordination and potentially more joint recommendations from health authorities.  Also watch whether the new FDA Commissioner, Robert Califf, engages with his foreign regulatory counterparts on digital health and RWD/E.

Spurred by the realities of the COVID-19 pandemic, FDA has taken a number of regulatory actions to advance the use of digital health technologies (“DHTs”) in clinical trials.  DHTs provide sponsors with opportunities to capture a broader array of information from study subjects than is typically available through traditional study designs.  This includes information from activities at home, work, school, outdoors, and while sleeping.  DHTs also enable the collection of data from a broader population, such as from those typically unable to report on their own experiences (e.g., infants and persons with cognitive impairments) or unable to travel to a study location.  At the same time, DHTs also present unique challenges.  For example, how do sponsors validate and verify data collected from such DHTs?  How do sponsors ensure the data are reliable?  How do sponsors alleviate disparities in access to DHTs?

On February 9, 2022, FDA held a webinar to provide clarity on a recently released draft guidance, Digital Health Technologies for Remote Data Acquisition in Clinical Investigations (“the Draft DHT Guidance”) published in December 2021.  This blog post outlines five key takeaways from the recent FDA webinar.

Background: FDA’s Draft DHT Guidance

FDA’s Draft DHT Guidance provides recommendations to facilitate the use of DHTs, particularly with respect to clinical trials.  FDA defines DHTs as systems that use computing platforms, connectivity, software, and/or sensors to collect data for healthcare and related uses.  FDA acknowledges that some DHTs qualify as devices under the Federal Food Drug & Cosmetic Act (“FDCA”), meaning they are subject to FDA oversight, but others do not.  Indeed, during the recent FDA webinar, agency staff confirmed that marketing authorization is not necessary in order to use a DHT in a clinical investigation.  Also, the Draft DHT Guidance clarifies that DHTs may include technologies that run on “general-purpose computing platforms”—defined as “commercial off-the-shelf computing platforms, with or without wireless connectivity, that may be handheld or otherwise portable in nature” (e.g., mobile phones, smartwatches, and tablets)—that are not generally regulated as devices.  Examples of DHTs include glucometers, software to measure mental acuity, and combinations of such technologies (e.g., a continuous glucose monitor device with a mobile application serving as the interface and providing analysis and alarm functions).

The Draft DHT Guidance provides helpful and detailed descriptions of the types of information to submit to FDA, as well as several examples of DHTs and how a sponsor might go about selecting a DHT that would be useful for a particular clinical investigation.  For example, the Draft DHT Guidance addresses how data acquired through DHTs can help with the evaluation of study endpoints and specifies information that should be contained in an application (e.g., an IND or IDE) for a clinical investigation in which the sponsor intends to use one or more DHTs, or in a marketing application (e.g., PMA, 510(k), de novo, or HDE) that includes such an investigation.  FDA also explicitly states that some of the considerations may be helpful for interactions with the Agency regarding uses of DHTs beyond acquiring data, such as clinical trial enrichment strategies (e.g., the prospective use of patient characteristics to select a desirable study population).

The Draft DHT Guidance describes how a DHT should be verified, validated, and assessed for usability in order to be deployed in a clinical trial.  Study sponsors also should ensure that any DHT sought to be employed in a clinical study is “fit-for-purpose,” i.e., that “the level of validation associated with the DHT is sufficient to support its use and interpretability” in the context of how it will be used in the clinical study (its “context of use”).  Verification and validation are related concepts that can be used to ensure that a DHT is fit-for-purpose for remote data collection in a clinical investigation.  In this context, “verification” refers to confirmation that the DHT is accurate and precise, and “validation” refers to confirmation that the DHT appropriately assesses the clinical event or characteristic in the proposed participant population.  Usability testing, on the other hand, should identify and address any potential errors or problems trial participants may experience when using the DHT.  During the webinar, FDA staff recognized the potential to conduct DHT validation studies in a variety of environments, including studies in the real world collecting real-world data from participants.

The Promise of DHTs

During the webinar, FDA staff reiterated the promise of DHTs to improve health and health outcomes as well as significantly improve clinical investigations by facilitating innovative, efficient, and/or more pragmatic clinical trial designs.  The presenters highlighted how DHTs provide the opportunity to observe the full patient population, building in diversity and health equity up front.  For example, DHTs can help open clinical investigations to underrepresented patient populations via remote data acquisition and decentralized clinical trials (i.e., where some or all of the trial-related activities occur at a location separate from that of the investigator).  In addition to expanding the reach of the patient pool, this also alleviates the burden on patients of traveling to a trial site during working hours.  FDA cautions, however, that sponsors should consider ways they may need to adapt DHTs to allow for the inclusion of diverse populations (e.g., providing translated versions, ensuring DHTs reliably collect data from healthy participants as well as participants of interest, considering usability and access, etc.).  Additionally, sponsors may need to consider ways to alleviate disparities in access to DHTs (e.g., cost considerations, use of personal DHTs versus trial-provided DHTs, etc.).  For example, a 2021 bill introduced by Rep. Ruiz, titled the DIVERSE Trials Act, would confirm that the free provision of DHTs by drug or device manufacturers to their clinical trial participants would not be considered a violation of certain laws if the use of DHTs would facilitate the diversity of patient populations.

Five Key Takeaways from the FDA Webinar

  1. FDA’s recommendations for verification and validation of the DHT apply regardless of whether the DHT meets the definition of a device under the FDCA. In other words, sponsors need to ensure that all DHTs used in clinical trials—even non-device DHTs—are verified, validated, and assessed for usability.  That being said, FDA staff clarified during the webinar that only DHTs that meet the definition of a device and are intended to be used in a clinical trial are subject to 21 C.F.R. part 812 (regulations related to the use of investigational devices).  When asked during the webinar whether there were advantages of using a device DHT versus a non-device DHT in a clinical trial, FDA staff replied that it depends on the needs of the investigation and the intended use of the product.  For example, if the investigation requires glucose measurements, a review board would likely pause and have questions about the use of a DHT glucometer (typically a medical device) that has not been cleared by FDA’s Center for Devices and Radiological Health (“CDRH”).  FDA staff further confirmed that cleared devices reviewed by CDRH are a “good measure” of data, but that marketing authorization alone is not sufficient to show a DHT is fit-for-use.
  2. Most regulatory requirements for devices, including premarket clearance or approval, do not apply to DHTs intended for use in clinical investigations if the clinical investigation complies with applicable requirements under 21 C.F.R. part 812, but sponsors may have other obligations when they employ DHTs that are devices. For example, if a sponsor undertakes any clinical verification or validation testing of a DHT that qualifies as a device under the FDCA, that testing may itself constitute a clinical investigation subject to applicable investigational device regulations (i.e., 21 C.F.R. parts 50, 56, and/or 812).  Additionally, if a DHT used in an investigation qualifies as a significant risk device under 21 C.F.R. § 812.3(m), the sponsor would be required to submit an IDE to FDA for the same investigation.  During the webinar, FDA staff cautioned that DHTs also intended for use outside of a clinical investigation should be treated just like any other device intended for market, including that Medical Device Reporting obligations under 21 CFR part 803 could be triggered if a device DHT malfunctions or causes a death or serious injury.
  3. FDA encourages external collaboration and recycling to rapidly advance and multiply the use of DHTs. During the webinar, FDA recommended sponsors involve DHT manufacturers, patients, caregivers, regulators, and other stakeholders in validation steps to ensure the product is fit-for-purpose.  FDA also emphasized that sponsors should leverage data that may be available from multiple sources, such as marketing applications or data from the DHT manufacturer, to support their submissions and fit-for-purpose arguments.  FDA presenters also encouraged sponsors to make use of voluntary qualification programs to allow for reliance on DHTs in multiple clinical investigations for different premarket submissions.  For example, although the Draft DHT Guidance recommends that study sponsors ensure that DHTs employed in a particular clinical trial are fit-for-purpose, the Agency notes that the multiple mechanisms exist by which DHTs may be pre-qualified for contexts of use, including qualification as a “Drug/Medical Device Development Tool.”  For DHTs that are outside the scope of the DDT qualification programs but still present a potential benefit for drug development, FDA suggests that sponsors and other stakeholders consider submitting DHT-related proposals to the Innovative Science and Technology Approaches for New Drugs (“ISTAND”) Pilot Program.  In short, one of FDA’s aims appears to be around fostering collaboration and wide use of DHTs.
  4. Novel endpoints driven by new insights that were not previously measurable before DHTs should be developed as in any other instance. When a DHT will simply replicate an existing endpoint, however, a new justification will generally not be expected (although validation of the new method to measure the endpoint should still be provided).  In any event, FDA staff clarified that sponsors may leverage existing data for future clinical trials and need not repeat evidence generation.  FDA staff also noted they look forward to making available examples of digital endpoints as they become public.
  5. Consult FDA early and often. During the webinar, FDA staff repeatedly encouraged sponsors to engage with FDA and early and often when considering using DHTs in a clinical trial.  FDA staff emphasized that the earlier sponsors can obtain feedback, the better.  FDA also recommended sponsors make use of FDA guidance documents and additional mechanisms (such as the voluntary programs described above) to receive clarity on whether a proposed DHT would be appropriate for any particular trial.

FDA staff expressed that they look forward to receiving input on the Draft DHT Guidance to inform their next steps.  Comments regarding the Draft DHT Guidance are due by March 22, 2022.

On January 21, the Federal Trade Commission (“FTC”) announced new resources to help companies determine their obligations under the Health Breach Notification Rule (the “Rule”): the Health Breach Notification Rule: Basics for Business, which provides a quick introduction to the Rule, and Complying with FTC’s Health Breach Notification Rule (“Compliance Guidance”), a more in-depth compliance guidance.  These resources follow the FTC’s September 2021 Policy Statement, which expanded the Rule’s application to the developers of health apps, connected devices, and similar products, and similarly emphasize the FTC’s continued scrutiny of health technology.

Continue Reading FTC Releases New Health Breach Notification Rule Guidance, Targets Health Apps and Connected Devices